Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I convert from a light forwarder to a full forwarder?

Alan_Bradley
Path Finder
‎03-25-2010 01:05 AM

I have a light forwarder (v4.0.7) I want to change this to a forwarder instead of a light forwarder. The reason being is that I want this forwarder to add some indexed fields to the mix before the data is sent over to the main index server. What are the steps involved to make this happen?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

BunnyHop
Contributor
‎03-25-2010 02:49 PM

Since SplunkWeb is disabled, you will have to do it on the CLI:

cd %SPLUNK%
splunk disable app SplunkLightForwarder
splunk enable app SplunkForwarder
splunk restart

View solution in original post

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-26-2010 04:12 AM

You can disable the SplunkLightForwarder app, and enable the SplunkForwarder app (or not enable the SplunkForwarder app -- it doesn't actually do much besides turn off SplunkWeb). You will of course have to move all parsing-related configurations from your indexer to your forwarder now.

http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F may help figure out which configurations.

My practice is to put all sourcetype-level props.conf and transforms.conf configurations into a single app, then replicate that app to search, indexer, and forwarder, using Deployment Server or similar to keep them in sync. These configurations that aren't appropriate will just be ignored, and you don't have to worry about if a forwarder is light or not, or if your indexer is also a searcher or not.

Reply
Solved! Jump to solution

oreoshake
Communicator
‎03-26-2010 01:55 AM

If for some reason you can't execute those commands, basically it just changes the value for etc/apps/Splunk(Light)Forwarder/local/app.conf

[install]

state = enabled|disabled

Some of our SAs prefer to just modify the configs directly.

So in your case...

create etc/apps/SplunkForwarder/local/app.conf with

[install]

state = enabled

And change the value in etc/apps/SplunkLightForwarder/local/app.conf

[install]

state = disabled

Reply
Solved! Jump to solution
Solution

BunnyHop
Contributor
‎03-25-2010 02:49 PM

Since SplunkWeb is disabled, you will have to do it on the CLI:

cd %SPLUNK%
splunk disable app SplunkLightForwarder
splunk enable app SplunkForwarder
splunk restart
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...