This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4
Image:Enabling forwarding via SplunkWeb-admin.jpg
Image:Enabling forwarding via SplunkWeb-distribute.jpg
Image:Enabling forwarding via SplunkWeb-receive.jpg
To begin receiving data:
Image:Enabling forwarding via SplunkWeb-yes.jpg
You can enable receiving from the Splunk CLI. To use Splunk's CLI, navigate to the $SPLUNK_HOME/bin/ directory and use the ./splunk command. You can also add Splunk to your path and use the splunk command.
First, log in:
./splunk login Splunk username: admin Password:
To enable receiving:
# ./splunk enable listen 42099 -auth admin:changeme Listening for Splunk data on TCP port 42099.
To disable receiving:
# ./splunk disable listen -auth admin:changeme No longer listening for Splunk TCP data. You need to restart the Splunk Server for your changes to take effect.
Image:Enabling forwarding via SplunkWeb-admin.jpg
Image:Enabling forwarding via SplunkWeb-distribute.jpg
Image:Enabling forwarding via SplunkWeb-forward.jpg
To begin forwarding data:
Image:Enabling forwarding via SplunkWeb-forwardyes.jpg
You can enable forwarding from the Splunk CLI. Navigate to your $SPLUNK_HOME/bin directory on the server that will be forwarding data for indexing and log in to the CLI. You can also add Splunk to your path and use the splunk command.
./splunk login Splunk username: admin Password:
To enable forwarding:
# ./splunk add forward-server 10.2.2.2:9999 -auth admin:changeme Added Splunk-2-Splunk forwarding to: 10.2.2.2:9999
To disable forwarding:
# ./splunk remove forward-server 10.2.2.2:9999 -auth admin:changeme Stopped Splunk-2-Splunk forwarding to: 10.2.2.2:9999 You need to restart the Splunk Server for your changes to take effect.
If you have installed Splunk on the server that is generating event data, you will probably elect to forward the events to another Splunk server for indexing. This decreases the workload on the forwarding server. To further reduce the work performed on the forwarding side, you may want to set up a lite-weight forwarder. With a lite weight forwarder, all optional processing is moved to the indexing server. Specifically when a server is made lite-weight, it is modified to:
$SPLUNK_HOME/etc/bundles/local/inputs.conf).
splunkd.xml with splunkd.xml.forwarder.
With lite-weight forwarding, timestamp and host processing still happen on the forwarding side so that this data is accurate.
You can use Splunk's CLI to turn lite-weight forwarding on and off. To use Splunk's CLI, navigate to the $SPLUNK_HOME/bin/ directory and use the ./splunk command. You can also add Splunk to your path and use the splunk command.
To enable lite-weight forwarding, use this CLI command on the forwarding server:
./splunk set server-type forwarder
To disable lite-weight forwarding, use this CLI command on the forwarding server:
./splunk set server-type default
If you would like to be able to use a scripted input on your lightweight forwarder, you need to re-enable the exec processor. To do this, go into $SPLUNK_HOME/etc/modules/input/exec and copy the existing config.xml.default to config.xml. This enables the module and on restart it will be inserted into the pipeline.
The default forwarding set-up, even with lite-weight forwarders, is to do some parsing (i.e. character encoding, timestamp extraction, line-merging) on the forwarder and then send the parsed data to be indexed. Although parsing is not nearly as resource intensive as indexing, you may still want to avoid doing it on the forwarder.
To disable parsing on the forwarder, inputs.conf must specify (for each input, or as a global setting):
queue=indexQueue
On the receiving side, the default for splunktcp input is to skip parsing and send data directly to be indexed. To change this, inputs.conf must specify:
[splunktcp://<remote server>:<port>] queue=parsingQueue