In this blog we will be looking on installing and configuring heavy forwarder in splunk but before that let’s see what is an heavy forwarder in splunk. Heavy forwarder is an Splunk enterprise binary which has the ability to not only receive data but also to parse and index the same thus taking some load of the indexer in the pipeline.
It can also receive data from universal forwarder or multiple universal forwarder and send it to indexer or other third party data storage thus acting as an intermediary between the two for routing the data
A typical heavy forwarder setup can be given below
Please note that if the heavy forwarder needs to index data it requires a forwarder license
Lets see how to configure the heavy forwarder to send the data to the indexer and receive data from outside .Provided Splunk is already installed on the instance which you want to configure as heavy forwarder ,proceed with the steps given below:
- By Splunk Web:
Step 1: Go to “Settings>forwarding and receiving>
Step 2 : click ADD NEW in Configure forwarding then enter: (where you want to send data
Step 3 : Enable Listening
Go to Settings > Data > Forwarding and receiving > Receive Data > Configure receiving
then click on add new and enter the port number. Default:9997.
Heavy forwarder has been configured to receive data on the port no 9997.
- By CLI:
Step 1: Run the following Command in the CLI :
"opt/splunk/bin/splunk add forward-server 192.168.0.73:9997"(<indexer-IP:port>)
Step2 : Navigate to bin folder under home > opt > splunk > bin and run following command
$ splunk enable listen 9997
Your instance have got configured as heavy forwarder and is able to receive data from the port 9997 using CLI
- By editing Configuration files :
Step1 : Configuring outputs.conf
Go To system local directory by navigating in home > opt > splunk > etc > system > local or by running the following command:
Open outputs.conf from the local directory to edit
If there is no outputs.conf file in the folder then create one and write the following Stanza:
Step 2: Configuring inputs.conf: Navigate to Home > opt > splunk > etc >system >local and edit inputs.conf
Create one if not present and then write the following stanza in inputs.conf:
Your instance has been configured via configuration files as Heavy forwarder to receive data.