Splunk Cloud Platform

Forwarding Data

Deploy a light forwarder

The light forwarder was deprecated in Splunk Enterprise version 6.0. For a list of all deprecated features, see Deprecated features in the Release Notes.

You can install a light forwarder on a full Splunk Enterprise instance. For information on how to install a universal forwarder, which is the recommended replacement for the light forwarder, see Install the universal forwarder software in the Universal Forwarder manual.

To enable forwarding and receiving, configure both a receiver and a forwarder. The receiver receives the data and the forwarder sends data to the receiver.

A Splunk best practice is to set up the receiver first. You can then set up forwarders to send data to that receiver.

Setting up a light forwarder is a two-step process:

  1. Install a full Splunk Enterprise instance.
  2. Enable forwarding on the instance.

Note: When you configure a Splunk instance as a light forwarder, select the forwarder license. For more information, see Types of Splunk licenses.

Set up forwarding

You can use the CLI as a quick way to enable forwarding.

You can also enable, as well as configure, forwarding by creating an outputs.conf file on the Splunk instance. Although setting up forwarders with outputs.conf requires a bit more initial knowledge, there are obvious advantages to performing all forwarder configurations in a single location. Most advanced configuration options are available only through outputs.conf. In addition, if you will be enabling and configuring a number of forwarders, you can easily accomplish this by editing a single outputs.conf file and making a copy for each forwarder. See the topic "Configure forwarders with outputs.conf" for more information.

Set up light forwarding with the CLI

To set up light forwarding, perform the following steps:

  1. From a shell or command prompt, navigate to the $SPLUNK_HOME/bin/ directory and run the following command: splunk enable app SplunkLightForwarder -auth <username>:<password>
  2. Restart the forwarder.

To disable the light forwarder mode, run the following command:

splunk disable app SplunkLightForwarder -auth <username>:<password>

This command reverts the forwarder to a full Splunk Enterprise instance.

Start forwarding activity from the CLI

  1. From a shell or command prompt, navigate to the $SPLUNK_HOME/bin/ directory.
  2. To start forwarding activity, specify the receiver with the splunk add forward-server command: splunk add forward-server <host>:<port> -auth <username>:<password>

To end forwarding activity, enter:

splunk remove forward-server <host>:<port> -auth <username>:<password>

Note: Although this command ends forwarding activity, the instance remains configured as a forwarder. To revert the instance to a full Splunk Enterprise instance, use the disable command, as described earlier in this topic.

After invoking either of these commands, restart the forwarder.

Last modified on 29 March, 2022
Deploy a heavy forwarder   Configure data collection on forwarders with inputs.conf

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308 (latest FedRAMP release), 9.1.2312, 9.2.2403

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters