Splunk® Enterprise

Forwarding Data

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Enable forwarding on a Splunk Enterprise instance

A Splunk Enterprise instance can be configured to forward data to another instance of Splunk Enterprise. This is used primarily for:

  • Forwarding logs from local data sources and sending them to the indexers.
  • Forwarding Splunk Enterprise internal logs from the search heads or other supporting roles to the indexers in a distributed or clustered environment.
  • Establishing an intermediate forwarder layer with heavy or universal forwarders. These intermediate forwarders act as an aggregation and routing layer, consolidating incoming data streams from many forwarders and sending the events out to other forwarders or indexers.


Set up forwarding

  1. Determine which Splunk Enterprise instance will forward data.
  2. Collect the list of the receivers (other forwarders or indexers) the instances are communicating with.
  3. On the forwarding instance, use Splunk Web or the CLI commands to configure and enable forwarding. See Deploy a heavy forwarder.
  4. (Optional) Use the deployment server to configure and enable forwarding through an app. See Configure deployment clients in the Updating Splunk Enterprise Instances manual.
  5. (Optional) On the indexers, search the _internal index for data to confirm that forwarding was successful. For example:

    index=_internal host=<forwarder host name>

  6. (Optional) If you intend the forwarding instance to be an intermediate forwarder and accept incoming data streams from other forwarders, configure receiving. See Enable a receiver.

Enable forwarding on a universal forwarder instance

If you're looking for the universal forwarder instructions, see one of the following topics in the Forwarder Manual:

Documentation:Forwarder:Forwarder:ConfigSCUFCredentials

Last modified on 29 March, 2022
PREVIOUS
Compatibility between forwarders and indexers
  NEXT
Heavy and light forwarder capabilities

This documentation applies to the following versions of Splunk® Enterprise: 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters