• Read This First
  • System requirements
    • Host operating system
    • Client operating system / browser (for access to Splunk Web)
    • Hardware capacity requirements
    • Supported server hardware architectures
    • Supported file systems
    • Storage and performance notes
• Step by Step Installation
  • Before you install
    • Installing as root
    • Running Splunk on Windows
    • Disabling update checker
    • What ports Splunk uses
    • What gets installed
    • Advanced installation topics
  • AIX installation
    • Install Splunk
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • FreeBSD installation
    • Install Splunk
    • What gets installed
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Linux installation
    • Install Splunk
    • What gets installed
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Mac OS installation
    • Install Splunk
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Solaris installation
    • Install Splunk
    • What gets installed
    • Start Splunk
    • Manage your license
    • Uninstall Splunk
  • Windows installation
    • Choosing the user Splunk should run as
    • Install Splunk via the GUI installer
    • Launch Splunk in a Web browser
    • Install or upgrade license
    • Uninstall Splunk
  • Windows installation via the commandline
    • Supported flags
    • Launch Splunk in a Web browser
    • Install or upgrade license
    • Uninstall Splunk
  • Startup options
    • Add Splunk to your shell path
    • Start Splunk
    • Start individual processes
    • Start help
    • Open Splunk in a Web browser
  • License management
    • Access your license
    • Install via Splunk Web
    • Install via CLI
    • First login after applying new trial/Enterprise license
    • License violations
  • Install Splunk Enterprise Manager
• Splunk forwarder, light forwarder, and other configurations
  • Enable the Splunk forwarder or light forwarder
    • What's different about the Splunk light forwarder?
    • What's different about the Splunk forwarder?
    • Read this before you enable Splunk forwarder or light forwarder
    • Licensing for Splunk forwarder and light forwarder
    • Enable via Splunk Web
    • Enable via CLI
    • Disable via CLI
  • Commandline installation for Splunk forwarder or light forwarder on Windows
    • Silent commandline install of Splunk light forwarder
    • Commandline install of Splunk forwarder as the LocalSystem user
  • Enable Splunk desktop configuration
    • What's different about Splunk desktop?
    • Enable via Splunk Web
    • Disable via Splunk Web
    • Enable via CLI
    • Disable via CLI
  • Enable the Splunk light forwarder via the deployment server
• Advanced Installation Topics
  • Configure Splunk before startup
    • To start at boot time
    • To bind to an IP
  • Run Splunk as non-root user
    • Instructions
    • Solaris 10 privileges
  • Disable update checker
  • Configure SELinux
  • Uninstall Splunk manually
• Upgrade Instructions
  • Upgrade and migrate to 3.3 and later
  • Upgrade Splunk on Windows
    • Start Splunk
  • Migration considerations
    • Users of LDAP on MacOSX Leopard should back up ldap.conf before upgrading via DMG to 3.4
    • Bundles/configuration directory structure changed and renamed
    • Scripts in /splunk/bin may not be saved
    • Saved searches and search operators
    • Changes to indexes.conf
    • Must upgrade all instances of Splunk in a distributed environment
    • Instances of Splunk deployment server must match clients
  • Migrate your Windows saved searches to 3.3.x and later
    • Run the migration script
    • What has changed
  • Migrate bundles to new application directory structure
    • Things to consider
    • Run the migration script
• Install Splunk Toolbar
  • Install Splunk toolbar for Firefox
    • Install from download page
    • Install from Splunk server
    • Uninstall Splunk Toolbar
  • Install Splunk toolbar for Internet Explorer (beta)
    • Install from download page
    • Install from Internet Explorer
    • Uninstall Internet Explorer toolbar
• Help
  • Getting Help
    • Accessing help in Splunk Web
    • Accessing help in the command line (CLI)
    • How can I learn more about Splunk's advanced features?
    • I lost my Splunk.com password. What do I do?
    • How do I report problems?
    • How can I make suggestions?
    • I have some questions that aren't answered here. Where can I get help?
• Reference
  • File Manifest
  • PGP Public Key
    • Installing the key

Enable the Splunk forwarder or light forwarder

As of version 3.4, the Splunk forwarder and light forwarder (formerly referred to as the lightweight forwarder) are now packaged with as applications that you can enable via Splunk Web or the CLI.

Important: If you are configuring forwarding and receiving, your receiving Splunk instance must be running the same (or later) version of Splunk as your forwarders. Also, you cannot use data balancing in conjunction with the light forwarder because the data is not parsed before being sent--events may be split into parts before reaching the receiver, resulting in partial events.

What's different about the Splunk light forwarder?

The Splunk light forwarder can monitor local log files and directories, collect Windows event logs and use scripted inputs (including local WMI and registry data sources on Windows). To cut down on overhead, however, many other features are disabled.

Specifically, the Splunk light forwarder:

• Disables event signing and checking if the disk is full (/$SPLUNK_HOMEetc/apps/SplunkLightForwarder/default/default-mode.conf)
• Sets the forwarder buffering queue to 1000 events ($SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/outputs.conf)
• Limits internal data inputs to splunkd and metrics logs only, and makes sure these are forwarded ($SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/inputs.conf)
• Disables all indexing ($SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/indexes.conf)
• Does not parse data. Therefore, install applications that include inputs.conf on both the light forwarder and the receiving instance.
• Disables the Splunk Web interface ($SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/web.conf )
• Limits throughput to 256KBps on monitor, exec, and Windows event log inputs (/etc/apps/SplunkLightForwarder/default/limits.conf and the configurations under /etc/apps/SplunkLightForwarder/config/input/*)
• Disables the following modules in ($SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/setup.conf)

[modules]
distributedDeployment = disabled
distributedSearch = disabled
input/FIFO = disabled
input/fschangemanager = disabled
input/UDP = disabled
input/tcp = disabled
input/syslogFIFO = disabled
input/syslogUDP = disabled

For a detailed view of the exact configuration, look at the setup.conf file for the SplunkLightForwarder application in $SPLUNK_HOME/etc/apps/SplunkLightForwarder/default, where $SPLUNK_HOME is the directory into which you installed Splunk.

To alter the configuration of Splunk light forwarder (to add back in a specific input type, for example), edit the setup.conf for the SplunkLightForwarder application.

What's different about the Splunk forwarder?

The Splunk forwarder disables Splunk Web. All other functions and modules remain enabled.

For a detailed view of the exact configuration, you can look at the setup.conf file for the SplunkForwarder application in $SPLUNK_HOME/etc/apps/SplunkForwarder/default, where SPLUNK_HOME is the directory into which you installed Splunk.

Read this before you enable Splunk forwarder or light forwarder

Splunk Web is turned off in the forwarder and light forwarder to reduce the footprint of Splunk on the forwarding host. Therefore, if you want to use Splunk Web to configure your forwarding Splunk instance, do this before you enable forwarding. After you enable forwarding, you can only configure your forwarder via the Splunk CLI.

You must configure a receiver before setting up forwarding. This way, the Splunk receiving host is prepared for the forwarded data. Then, configure your forwarder(s). Follow these general steps to deploy Splunk forwarders and light forwarders effectively.

First, enable a Splunk server to receive data:
1. Decide which machine to use as a receiver.
2. Configure it to receive data using these instructions.
Note: Your receiving Splunk instance must be running the same version of Splunk as your forwarders, or a later version.

Then, on the forwarding Splunk instance:
1. Install Splunk on the machine that will be forwarding data.
2. Use Splunk Web or the CLI to add inputs as described here. Data from these inputs will be sent via the forwarder to the receiver.
3. Point your forwarder at the receiver using these instructions.
4. Then, use Splunk Web or the CLI to enable Splunk forwarder or light forwarder.

After you configure a Splunk instance to forward data, add any additional settings, such as routing, cloning, filtering or data balancing. Configuration changes are done on the forwarder side, on the host that is reading the data input.

If, once you've enabled the Splunk forwarder or light forwarder, you want to disable it, you must do it via the CLI as described below.

Important: You MUST provide this forwarder/light forwarder with the hostname and port of the Splunk server to which it will send data, using the information in this topic. You must also use the same information to set the Splunk server that will be receiving the data as a receiver.

Licensing for Splunk forwarder and light forwarder

When you enable either the Splunk forwarder or light forwarder, you must manually switch licenses as appropriate.

Enable via Splunk Web

To enable Splunk forwarder or light forwarder via Splunk Web:

1. Log into Splunk Web.

2. Navigate to the Admin section, and click Applications.
The Applications:View/Manage Applications page is displayed.

3. Find the Splunk application you want to enable for this system and click Enable.
The application is enabled.

Note: Remember, if you enable Splunk forwarder or light forwarder, Splunk Web will subsequently be unreachable.

Enable via CLI

To enable Splunk forwarder or light forwarder via the CLI:

./splunk enable app [SplunkForwarder|SplunkLightForwarder] -auth <username>:<password>

Disable via CLI

To disable Splunk forwarder or light forwarder via the CLI:

./splunk disable app [SplunkForwarder|SplunkLightForwarder] -auth <username>:<password>