Configure an intermediate forwarder
This topic provides instructions on how to set up an intermediate forwarder tier.
Intermediate forwarding is where a forwarder receives data from one or more forwarders and then sends that data on to another indexer. This kind of setup is useful when, for example, you have many hosts in different geographical regions and you want to send data from those forwarders to a central host in that region before forwarding the data to an indexer. All forwarder types can act as an intermediate forwarder.
For instructions on how to set up intermediate forwarding on a universal forwarder, see Configure an intermediate forwarder in the Universal Forwarder manual.
Set up intermediate forwarding with Splunk Web
1. In Splunk Web, log into the Splunk instance that you want to configure as an intermediate forwarder.
2. In the system bar, choose Settings > Forwarding and receiving.
3. Under "Receive data", click Add new. The "Receive data > Add New" page loads.
4. In the Listen on this port field, enter the port number that the instance should listen on for incoming forwarder connections.
5. Click Save. The forwarder starts listening on the specified port and Splunk Web displays the "Receive data" page.
6. Under "Receive data", click Forwarding and receiving. Splunk Web displays the "Forwarding and receiving" page again.
7. Under "Forward data", on the "Configure forwarding" line, click Add New. The "Forward data > Add New" page loads.
8. In the "Host" field, enter the host name or IP address and port of the indexer that should receive the forwarded data.
Note: Do not use the port you specified earlier for this instance unless you configured the same port number on the receiver.
9. Click Save. Splunk Web saves the configuration and the forwarder attempts to connect to the specified host and port.
10. Restart the forwarder. From the system bar, click Settings > Server controls.
11. Click Restart Splunk.
Repeat these instructions on additional hosts to set up a tier of intermediate forwarders.
Set up intermediate forwarding with configuration files
1. Open a command or shell prompt on the host you want to act as an intermediate forwarder.
2. Edit inputs.conf
to configure the forwarder to receive data, as described in Configure data collection on forwarders with inputs.conf.
3. Configure the forwarder to send data to the receiving indexer, as described in "Configure forwarders with outputs.conf."
4. (Optional) Edit inputs.conf
on the intermediate forwarder to configure any local data inputs.
5. Restart the forwarder.
Repeat these steps to add more forwarders to the tier.
Configure forwarders to use the intermediate forwarding tier
To set up additional forwarders to send their data to the intermediate forwarding tier:
1. If you have not already, install the universal forwarder.
2. Configure the forwarder to send data to the intermediate forwarder.
3. (Optional) Configure local data inputs on the forwarder.
4. Restart the forwarder.
Test the configuration
To confirm that the intermediate tier works properly:
1. Using Splunk Web, log into the receiving indexer.
2. Open the Search and Reporting app.
3. Run a search that contains a reference to one of the hosts that you configured to send data to the intermediate forwarder. For example:
host=<name or ip address of forwarder> index=_internal
If you do not see events, then the host has not been configured properly. See Troubleshoot forwarder/receiver connection for possible solutions.
See also
If you have access to the Edge Processor solution, you can use Edge Processors to fulfill many of the same requirements as an intermediate forwarder tier. For example, you can send data from multiple forwarders in different geographical regions to an Edge Processor that serves as a central host in a specific region, and then send data from that Edge Processor to an indexer. You can also use the Edge Processor to transform the data before routing it to an indexer. For more information, see About the Edge Processor solution in the Use Edge Processors manual.
Configure a forwarder to use a SOCKS proxy | Protect against loss of in-flight data |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2203, 8.2.2112, 8.2.2201, 8.2.2202, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!