Enable a receiver

A receiver is a Splunk software instance that is configured to listen on a specific port for incoming communications from a forwarder.

In a typical Splunk Enterprise deployment, the receiver is an indexer or a cluster of indexers. Sometimes the receiver is another forwarder; this is known as an intermediate forwarder. To learn more about how intermediate forwarders work, see Intermediate forwarding. As a best practice, configure your the receivers before configuring the forwarders to send data.

A Splunk Cloud Platform instance receiving port is configured and enabled by default. It is not possible to configure receiving on a Splunk Cloud Platform instance using Splunk Web, editing a .conf file, or using the command line (CLI.)

Configuring the receiver settings directly on Splunk software instances is only recommended for a single instance deployment. To manage Splunk Enterprise configurations in a distributed environment, see About deployment server and forwarder management in the Updating Splunk Enterprise Instances manual.

Configure a receiver using Splunk Web

Use Splunk Web to configure a receiver:

  1. Log into Splunk Web as a user with the admin role.
  2. In Splunk Web, go to Settings > Forwarding and receiving.
  3. Select "Configure receiving."
  4. Verify if there are existing receiver ports open. You cannot create a duplicate receiver port. The conventional receiver port configured on indexers is port 9997.
  5. Select "New Receiving Port."
  6. Add a port number and save.

Note: Splunk Web is only available with Splunk Enterprise, not the universal forwarder.

Configure a receiver using the command line

Use the command line interface (CLI) to configure a receiver:

  1. Open a shell prompt
  2. Change the path to $SPLUNK_HOME/bin
  3. Type: splunk enable listen <port> -auth <username>:<password> .
  4. Restart Splunk software for the changes to take effect.
*nix example Windows example 
./splunk enable listen 9997 -auth admin:password
 
splunk enable listen 9997 -auth admin:password

Configure a receiver using a configuration file

Configure a receiver using the inputs.conf file:

  1. Open a shell prompt
  2. Change the path to $SPLUNK_HOME/etc/system/local.
  3. Edit the inputs.conf file.
  4. Create a [splunktcp] stanza and define the receiving port. Example: 
    [splunktcp://9997]
disabled = 0
  5. Save the file.
  6. Restart Splunk software for the changes to take effect.
Note: The forms [splunktcp://9997] and [splunktcp://:9997] (one colon or two) are semantically equivalent. You can use either one.