Deploy a light forwarder
The light forwarder was deprecated in Splunk Enterprise version 6.0. For a list of all deprecated features, see Deprecated features in the Release Notes.
You can install a light forwarder on a full Splunk Enterprise instance. For information on how to install a universal forwarder, which is the recommended replacement for the light forwarder, see Install the universal forwarder in the Universal Forwarder manual.
To enable forwarding and receiving, configure both a receiver and a forwarder. The receiver receives the data and the forwarder sends data to the receiver.
A Splunk best practice is to set up the receiver first. You can then set up forwarders to send data to that receiver.
Setting up a light forwarder is a two-step process:
- Install a full Splunk Enterprise instance.
- Enable forwarding on the instance.
Note: When you configure a Splunk instance as a light forwarder, select the forwarder license. For more information, see Types of Splunk licenses.
Set up forwarding
You can use the CLI as a quick way to enable forwarding.
You can also enable, as well as configure, forwarding by creating an outputs.conf
file on the Splunk instance. Although setting up forwarders with outputs.conf
requires a bit more initial knowledge, there are obvious advantages to performing all forwarder configurations in a single location. Most advanced configuration options are available only through outputs.conf
. In addition, if you will be enabling and configuring a number of forwarders, you can easily accomplish this by editing a single outputs.conf
file and making a copy for each forwarder. See the topic "Configure forwarders with outputs.conf" for more information.
Set up light forwarding with the CLI
To set up light forwarding, perform the following steps:
- From a shell or command prompt, navigate to the
$SPLUNK_HOME/bin/
directory and run the following command:splunk enable app SplunkLightForwarder -auth <username>:<password>
- Restart the forwarder.
To disable the light forwarder mode, run the following command:
splunk disable app SplunkLightForwarder -auth <username>:<password>
This command reverts the forwarder to a full Splunk Enterprise instance.
Start forwarding activity from the CLI
- From a shell or command prompt, navigate to the
$SPLUNK_HOME/bin/
directory. - To start forwarding activity, specify the receiver with the
splunk add forward-server
command:splunk add forward-server <host>:<port> -auth <username>:<password>
To end forwarding activity, enter:
splunk remove forward-server <host>:<port> -auth <username>:<password>
Note: Although this command ends forwarding activity, the instance remains configured as a forwarder. To revert the instance to a full Splunk Enterprise instance, use the disable
command, as described earlier in this topic.
After invoking either of these commands, restart the forwarder.
Deploy a heavy forwarder | Configure data collection on forwarders with inputs.conf |
This documentation applies to the following versions of Splunk® Enterprise: 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2
Feedback submitted, thanks!