Enable forwarding on a Splunk Enterprise instance
A Splunk Enterprise instance can be configured to forward data to another instance of Splunk Enterprise. This is used primarily for:
- Forwarding logs from local data sources and sending them to the indexers.
- Forwarding Splunk Enterprise internal logs from the search heads or other supporting roles to the indexers in a distributed or clustered environment.
- Establishing an intermediate forwarder layer with heavy or universal forwarders. These intermediate forwarders act as an aggregation and routing layer, consolidating incoming data streams from many forwarders and sending the events out to other forwarders or indexers.
Set up forwarding
- Determine which Splunk Enterprise instance will forward data.
- Collect the list of the receivers (other forwarders or indexers) the instances are communicating with.
- On the forwarding instance, use Splunk Web or the CLI commands to configure and enable forwarding. See Deploy a heavy forwarder.
- (Optional) Use the deployment server to configure and enable forwarding through an app. See Configure deployment clients in the Updating Splunk Enterprise Instances manual.
- (Optional) On the indexers, search the
_internal
index for data to confirm that forwarding was successful. For example:index=_internal host=<forwarder host name>
- (Optional) If you intend the forwarding instance to be an intermediate forwarder and accept incoming data streams from other forwarders, configure receiving. See Enable a receiver.
Enable forwarding on a universal forwarder instance
If you're looking for the universal forwarder instructions, see Deploy the universal forwarder in the Forwarder manual.
Compatibility between forwarders and indexers | Heavy and light forwarder capabilities |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.2.2406 (latest FedRAMP release), 9.0.2205, 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403
Feedback submitted, thanks!