Documentation: 3.3.1
Print Version Contents
This page last updated: 09/04/08 04:09pm

Install Splunk for lightweight forwarding

Data distribution covers all configurations in which one Splunk server (the forwarder) is sending data to one or more Splunk servers (the receivers) prior to being indexed. When configuring data distribution, you can set up lightweight forwarding to move optional processing to the indexing server and reduce the workload on the forwarding server.

The following procedure describes how set up lightweight forwarding on your Splunk instance.

Note: (If you have administrator or root privileges) To save a lot of typing, add the top level directory of your Splunk installation to your shell path. The $SPLUNK_HOME variable refers to the top level directory. Set a SPLUNK_HOME environment variable and add $SPLUNK_HOME/bin to your shell's path. The example below works for bash users who accepted the default installation location. Use the correct syntax and path for your own installation.

# export SPLUNK_HOME=/opt/splunk
# export PATH=$SPLUNK_HOME/bin:$PATH

The full path to the Splunk executable is provided in these instructions regardless.

1. Install Splunk.
Refer to the Installation Manual for instructions on downloading and installing Splunk.

Note: When configuring a server for ightwieight forwarding, ensure it is on the same, or earlier Splunk version. than the receiver. It does not need to be on the same platform.

2. Update your license.
Each forwarding instance of Splunk must have its own license. You have a couple of options for licenses on forwarding instances. Forwarders can run with the Free license. If you require the additional security that the Enterprise license allows (such as username and password authentication), you can request that your original Enterprise license be split. You can install smaller increments on your forwarder instances while keeping the largest increment for the indexer.

Important: For most distribution setups, we recommend 1 MB/day Enterprise licenses for each forwarder instances. This 1 MB/day forward-only license is not subtracted from your existing license(s) and can be applied to multiple forwarders.

For more information about Splunk licenses, refer to the User Manual topic About licenses. Refer to License Management for instructions on installing and updating your Splunk license.

3. Configure forwarding on your Splunk server.
You can set up forwarding using Splunk Web or the CLI. Refer to the Admin Manual for instructions on enabling forwarding and more information on Forwarding and Receiving.

4. Set your Splunk server to forwarder:

$SPLUNK_HOME/bin/splunk set server-type forwarder

This setting makes the following changes to your Splunk instance:

  • Modifies inputs.conf to disable internal logging.
  • Eliminates BATCH, EXEC, FIFO, TCP, and UDP input modules from splunkd to reduce memory usage.
  • Replaces splunkd.xml with splunkd.xml.forwarder.

5. Disable Splunk Web.
For security reasons, we recommend that you disable Splunk Web on your lightweight forwarder:

$SPLUNK_HOME/bin/splunk disable webserver

6. Restart Splunk.
Setting up lightweight forwarding modifies a configuration file. You must restart Splunk to implement your changes.

$SPLUNK_HOME/bin/splunk restart

Previous: Disable update checker    |    Next: Configure SELinux

Comments

  1. wizkid: if you haven't already, i suggest you email your ideas and requests to support@splunk.com; this will help our developers prioritize new features for future releases. Also, you can follow our Product Roadmap at http://www.splunk.com/page/road_map_vote
    Posted by sophy on Sep 12 2008, 3:45pm

  2. Hi There,
    What I'd like to see is a stripped down package that has just the forwarder, and does not have the full server software. This would be smaller, and more secure. Why install a full webserver, indexer, etc when all you want is to forward application and system events?
    Posted by wizkid on Sep 08 2008, 1:26pm

  3. tsnoam: good catch. i've corrected the inconsistency (step 6) and clarified the statements (step 4). thanks!
    Posted by sophy on Aug 19 2008, 9:33am

  4. In section 4, the statement:
    "Changing your Splunk server type to forwarder:"

    is not clear enough. At the beginning I misunderstood to something that I should manually do.
    I suggest changing it to something like:
    "This will apply the following changes to the Splunk configuration:"
    Posted by tsnoam on Aug 19 2008, 6:06am

  5. On step 6 it is written:
    ./splunk restart

    I assume that it was meant to write:
    $SPLUNK_HOME/bin/splunk restart

    as the convention in the rest of this page
    Posted by tsnoam on Aug 19 2008, 4:09am

  6. Good catch tushar. I've corrected the typo
    Posted by m@ on Aug 06 2008, 1:51pm

  7. there is typo

    $SPLUNK_HOME/bin//splunk disable webserver

    should be with one "/" not two "//"

    $SPLUNK_HOME/bin/splunk disable webserver
    Posted by tushar on Aug 06 2008, 1:47pm

Log in to comment.