Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I convert from a light forwarder to a full forwarder?

Alan_Bradley
Path Finder
‎03-25-2010 01:05 AM

I have a light forwarder (v4.0.7) I want to change this to a forwarder instead of a light forwarder. The reason being is that I want this forwarder to add some indexed fields to the mix before the data is sent over to the main index server. What are the steps involved to make this happen?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

BunnyHop
Contributor
‎03-25-2010 02:49 PM

Since SplunkWeb is disabled, you will have to do it on the CLI:

cd %SPLUNK%
splunk disable app SplunkLightForwarder
splunk enable app SplunkForwarder
splunk restart

View solution in original post

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-26-2010 04:12 AM

You can disable the SplunkLightForwarder app, and enable the SplunkForwarder app (or not enable the SplunkForwarder app -- it doesn't actually do much besides turn off SplunkWeb). You will of course have to move all parsing-related configurations from your indexer to your forwarder now.

http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F may help figure out which configurations.

My practice is to put all sourcetype-level props.conf and transforms.conf configurations into a single app, then replicate that app to search, indexer, and forwarder, using Deployment Server or similar to keep them in sync. These configurations that aren't appropriate will just be ignored, and you don't have to worry about if a forwarder is light or not, or if your indexer is also a searcher or not.

Reply
Solved! Jump to solution

oreoshake
Communicator
‎03-26-2010 01:55 AM

If for some reason you can't execute those commands, basically it just changes the value for etc/apps/Splunk(Light)Forwarder/local/app.conf

[install]

state = enabled|disabled

Some of our SAs prefer to just modify the configs directly.

So in your case...

create etc/apps/SplunkForwarder/local/app.conf with

[install]

state = enabled

And change the value in etc/apps/SplunkLightForwarder/local/app.conf

[install]

state = disabled

Reply
Solved! Jump to solution
Solution

BunnyHop
Contributor
‎03-25-2010 02:49 PM

Since SplunkWeb is disabled, you will have to do it on the CLI:

cd %SPLUNK%
splunk disable app SplunkLightForwarder
splunk enable app SplunkForwarder
splunk restart
Reply
Get Updates on the Splunk Community!

Digital Resilience Assessment Launch | How prepared are you for disruption?

Disruption is inevitable. The question is – how prepared are you to handle it? In today’s fast-moving digital ...

Buttercup Games: Further Dashboarding Techniques (Part 2)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Index This | What is the next number in the series? 7,645 5,764 4,576…

February 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...