Deploy a light forwarder
The light forwarder was deprecated in Splunk Enterprise version 6.0. For a list of all deprecated features, see Deprecated features in the Release Notes.
You can install a light forwarder on a full Splunk Enterprise instance. For information on how to install a universal forwarder, which is the recommended replacement for the light forwarder, see Install the universal forwarder software in the Universal Forwarder manual.
To enable forwarding and receiving, configure both a receiver and a forwarder. The receiver receives the data and the forwarder sends data to the receiver.
A Splunk best practice is to set up the receiver first. You can then set up forwarders to send data to that receiver.
Setting up a light forwarder is a two-step process:
- Install a full Splunk Enterprise instance.
- Enable forwarding on the instance.
Note: When you configure a Splunk instance as a light forwarder, select the forwarder license. For more information, see Types of Splunk licenses.
Set up forwarding
You can use the CLI as a quick way to enable forwarding.
You can also enable, as well as configure, forwarding by creating an outputs.conf
file on the Splunk instance. Although setting up forwarders with outputs.conf
requires a bit more initial knowledge, there are obvious advantages to performing all forwarder configurations in a single location. Most advanced configuration options are available only through outputs.conf
. In addition, if you will be enabling and configuring a number of forwarders, you can easily accomplish this by editing a single outputs.conf
file and making a copy for each forwarder. See the topic "Configure forwarders with outputs.conf" for more information.
Set up light forwarding with the CLI
To set up light forwarding, perform the following steps:
- From a shell or command prompt, navigate to the
$SPLUNK_HOME/bin/
directory and run the following command:splunk enable app SplunkLightForwarder -auth <username>:<password>
- Restart the forwarder.
To disable the light forwarder mode, run the following command:
splunk disable app SplunkLightForwarder -auth <username>:<password>
This command reverts the forwarder to a full Splunk Enterprise instance.
Start forwarding activity from the CLI
- From a shell or command prompt, navigate to the
$SPLUNK_HOME/bin/
directory. - To start forwarding activity, specify the receiver with the
splunk add forward-server
command:splunk add forward-server <host>:<port> -auth <username>:<password>
To end forwarding activity, enter:
splunk remove forward-server <host>:<port> -auth <username>:<password>
Note: Although this command ends forwarding activity, the instance remains configured as a forwarder. To revert the instance to a full Splunk Enterprise instance, use the disable
command, as described earlier in this topic.
After invoking either of these commands, restart the forwarder.
Deploy a heavy forwarder | Configure data collection on forwarders with inputs.conf |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)
Feedback submitted, thanks!