• Read This First
  • System requirements
    • Host operating system
    • Client operating system / browser (for access to Splunk Web)
    • Hardware capacity requirements
    • Supported server hardware architectures
    • Supported file systems
    • Storage and performance notes
• Step by Step Installation
  • Before you install
    • Installing as root
    • Running Splunk on Windows
    • Disabling update checker
    • What ports Splunk uses
    • What gets installed
    • Advanced installation topics
  • AIX installation
    • Install Splunk
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • FreeBSD installation
    • Install Splunk
    • What gets installed
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Linux installation
    • Install Splunk
    • What gets installed
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Mac OS installation
    • Install Splunk
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Solaris installation
    • Install Splunk
    • What gets installed
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Windows installation
    • Install Splunk
    • Start Splunk
    • Install or upgrade license
    • Uninstall Splunk
  • License management
    • Access your license
    • Install via Splunk Web
    • Install via CLI
    • License violations
• Install Splunk Toolbar
  • Install Splunk Toolbar for Firefox
    • Install from download page
    • Install from Splunk server
    • Uninstall Splunk Toolbar
  • Install Splunk Toolbar for Internet Explorer (beta)
    • Install from download page
    • Install from Internet Explorer
    • Uninstall Internet Explorer toolbar
• Advanced Installation Topics
  • Configure Splunk before startup
    • To start at boot time
    • To bind to an IP
  • Run Splunk as non-root user
    • Solaris 10 privileges
  • Disable update checker
  • Install Splunk for lightweight forwarding
  • Configure SELinux
  • Uninstall Splunk manually
• Upgrade Instructions
  • Upgrade and migrate to 3.2
  • Migration considerations
    • Scripts in /splunk/bin are not saved
    • Saved searches
    • Changes to indexes.conf
    • Must upgrade all instances of Splunk in a distributed environment
    • Instances of Splunk deployment server must match clients
• Help
  • Getting Help
    • Accessing help in Splunk Web
    • Accessing help in the command line (CLI)
    • How can I learn more about Splunk's advanced features?
    • I lost my Splunk.com password. What do I do?
    • How do I report problems?
    • How can I make suggestions?
    • I have some questions that aren't answered here. Where can I get help?
• Reference
  • File Manifest
  • PGP Public Key
    • Installing the key

Install Splunk for lightweight forwarding

Data distribution covers all configurations in which one Splunk server (the forwarder) is sending data to one or more Splunk servers (the receivers) prior to being indexed. When configuring data distribution, you can set up lightweight forwarding to move optional processing to the indexing server and reduce the workload on the forwarding server.

The following procedure describes how set up lightweight forwarding on your Splunk instance.

1. Install Splunk.
Refer to the Installation Manual for instructions on downloading and installing Splunk.

Note: When configuring a server for ightwieight forwarding, ensure it is on the same, or earlier Splunk version. than the receiver. It does not need to be on the same platform.

2. Update your license.
Each forwarding instance of Splunk must have its own license. You have a couple of options for licenses on forwarding instances. Forwarders can run with the Free license. If you require the additional security that the Enterprise license allows (such as username and password authentication), you can request that your original Enterprise license be split. You can install smaller increments on your forwarder instances while keeping the largest increment for the indexer.

Important: For most distribution setups, we recommend 1 MB/day Enterprise licenses for each forwarder instances. This 1 MB/day forward-only license is not subtracted from your existing license(s) and can be applied to multiple forwarders.

For more information about Splunk licenses, refer to the User Manual topic About licenses. Refer to License Management for instructions on installing and updating your Splunk license.

3. Configure forwarding on your Splunk server.
You can set up forwarding using Splunk Web or the CLI. Refer to the Admin Manual for instructions on enabling forwarding and more information on Forwarding and Receiving.

4. Set your Splunk server to "forwarder":

./splunk set server-type forwarder

• Modifies inputs.conf to disable internal logging.
• Eliminates BATCH, EXEC, FIFO, TCP, and UDP input modules from splunkd to reduce memory usage.
• Replaces splunkd.xml with splunkd.xml.forwarder.

5. Disable Splunk Web.
For security reasons, we recommend that you disable Splunk Web on your lightweight forwarder:

./splunk disable webserver

6. Restart Splunk.
Setting up lightweight forwarding modifies a configuration file. You must restart Splunk to implement your changes.

./splunk restart