How to Migrate a Universal Forwarder to a Heavy Forwarder in Splunk

By |Published On: September 18th, 2015|

In this screencast, one of Hurricane Labs’ Splunk Administrators and Security Operations Analysts, Jeremy Nenadal walks you through a “How-To” for turning a Universal Forwarder into a Heavy Forwarder in Splunk. Performing this upgrade can be beneficial to your organization for a variety of reasons.

You may want to perform this migration because:

  • A universal forwarder may not be able to fulfill the needs of your growing organization
  • A software you’re installing may require a heavy forwarder with the additional features a universal forwarder lacks

Watch the screencast tutorial below for the full details of how to perform this upgrade.

This simple step-by-step process involves:

  • stop the universal forwarder
  • install new forwarder software
  • (if running Windows)stop that forwarder from running
  • copy over needed files
  • start new forwarder back up again

The reason for this particular process, is to prevent re-indexing of files. If you uninstall and then reinstall the new version you will end up re-indexing files, which you don’t want to do.

Happy Splunking!

Share with your network!
Get monthly updates from Hurricane Labs
* indicates required

About Hurricane Labs

Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.

For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.