Deploy a light forwarder

Note: The light forwarder was deprecated in Splunk Enterprise version 6.0. For a list of all deprecated features, see Deprecated features in the Release Notes.

You can install a light forwarder on a full Splunk Enterprise instance. For information on how to install a universal forwarder, which is the recommended replacement for the light forwarder, see Install the universal forwarder software in the Universal Forwarder manual.

To enable forwarding and receiving, configure both a receiver and a forwarder. The receiver receives the data and the forwarder sends data to the receiver.

A Splunk best practice is to set up the receiver first. You can then set up forwarders to send data to that receiver.

Setting up a light forwarder is a two-step process:

  1. Install a full Splunk Enterprise instance.
  2. Enable forwarding on the instance.

Note: When you configure a Splunk instance as a light forwarder, select the forwarder license. For more information, see Types of Splunk licenses.

Set up forwarding

You can use the CLI as a quick way to enable forwarding.

You can also enable, as well as configure, forwarding by creating an outputs.conf file on the Splunk instance. Although setting up forwarders with outputs.conf requires a bit more initial knowledge, there are obvious advantages to performing all forwarder configurations in a single location. Most advanced configuration options are available only through outputs.conf. In addition, if you will be enabling and configuring a number of forwarders, you can easily accomplish this by editing a single outputs.conf file and making a copy for each forwarder. See the topic "Configure forwarders with outputs.conf" for more information.

Set up light forwarding with the CLI

To set up light forwarding, perform the following steps:

  1. From a shell or command prompt, navigate to the $SPLUNK_HOME/bin/ directory and run the following command: splunk enable app SplunkLightForwarder -auth <username>:<password>
  2. Restart the forwarder.

To disable the light forwarder mode, run the following command: 

splunk disable app SplunkLightForwarder -auth <username>:<password>

This command reverts the forwarder to a full Splunk Enterprise instance.

Start forwarding activity from the CLI

  1. From a shell or command prompt, navigate to the $SPLUNK_HOME/bin/ directory.
  2. To start forwarding activity, specify the receiver with the splunk add forward-server command: splunk add forward-server <host>:<port> -auth <username>:<password>

To end forwarding activity, enter:

splunk remove forward-server <host>:<port> -auth <username>:<password>

Note: Although this command ends forwarding activity, the instance remains configured as a forwarder. To revert the instance to a full Splunk Enterprise instance, use the disable command, as described earlier in this topic.

After invoking either of these commands, restart the forwarder.