Splunk Cloud Platform

Getting Data In

Forward data

The Forward data page lets you select and control forwarders that have connected to the Splunk platform instance. You can configure the forwarders so that they send data to the instance.

This page appears when you click the Forward button on the Add data page. It appears in the following cases:

  • You use a single instance of Splunk Enterprise that acts as an indexer and a deployment server.
  • You use a Free Trial Splunk Cloud Platform deployment and have configured a universal forwarder to connect to the Splunk Cloud Platform instance as a deployment client.

If one of these scenarios fits your situation, then you can manage available forwarders by following the "Use the Select Forwarders page to define and populate server classes with forwarders" procedure, described later in this topic.

If you have multiple machines in your Splunk deployment that perform indexing, then this page isn't useful. Instead, see About deployment server and forwarder management in Updating Splunk Enterprise Instances to learn about the deployment server and how to use it to manage forwarder configurations to send to multiple indexers.

If you have a Splunk Cloud Platform deployment, then this page isn't available. Instead, you can install an on-premises deployment server to synchronize forwarder configurations so that you don't have to manage forwarders manually.

Prerequisites for using the Forward data page

To use the Forward Data page to configure data inputs, you must configure at least one forwarder as a deployment client. If you haven't configured a forwarder as a deployment client, the page notifies you that no deployment clients have been found.

To configure a heavy forwarder as a deployment client, see Configure deployment clients in the Updating Splunk Enterprise Instances manual.

To configure a universal forwarder as a deployment client, see Deploy the universal forwarder in the Splunk Universal Forwarder manual.

Use the Select Forwarders page to define and populate server classes with forwarders

When you select Forward Data from the Add Data page, the Select Forwarders page appears.

You can define server classes and add forwarders to those classes. Server classes are logical groupings of hosts based on things such as architecture or host name.

This page displays forwarders that you configured to forward data and act as deployment clients to this instance. If you haven't configured any forwarders, the page advises you of this.

The following procedure lets you set up server classes for forwarders that have reported themselves as deployment clients to this Splunk platform instance.

  1. In Select Server Class, click one of the options.
    • Click New to create a new server class, or if an existing server class doesn't match the group of forwarders for which you want to configure a data input.
    • Click Existing to use an existing server class.
  2. In the Available host(s) pane, choose the forwarders that you want this instance to receive data from. The forwarders move from the Available host(s) pane to the Selected host(s) pane.

    A server class must contain hosts of a certain platform. You cannot, for example, put Windows and *nix hosts in the same server class.

  3. (Optional) You can add all of the hosts by clicking the add all link, or remove all hosts by selecting the remove all link.
  4. If you chose New in Select server class, enter a unique name for the server class. Otherwise, select the server class you want from the drop-down list.
  5. Click Next. The Select Source page shows source types that are valid for the forwarders that you selected.
  6. Select the data sources that you want the forwarders to send data to this instance.
  7. Click Next.

Next step

Modify input settings

Last modified on 04 April, 2022
Monitor data   Assign the correct source types to your data

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters