The short answer is
On the main splunk installation (call it Indexer/Search Interface/Splunk Web); go into Manager, go into "Forwarding and Receiving", click "Enable Receiving", fill in a port number, e.g. 9997.
On the Forwarder, it's probably easiest if you simply
su splunk
/opt/splunk/bin/splunk add forward-server <IP:port>
That sets up the connection between the two hosts.
But I suggest you read up on the docs, there is a 'tutorial' section that will cover the basics, and a 'distributed deployment' section that will cover forwarding. There is also a 'getting data in' section with detailed 'recipies' for various scenarios.
http://docs.splunk.com/Documentation/Splunk/latest/Tutorial/WelcometotheSplunkTutorial
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Distributedoverview
http://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkcanmonitor
Hope this helps,
K
The short answer is
On the main splunk installation (call it Indexer/Search Interface/Splunk Web); go into Manager, go into "Forwarding and Receiving", click "Enable Receiving", fill in a port number, e.g. 9997.
On the Forwarder, it's probably easiest if you simply
su splunk
/opt/splunk/bin/splunk add forward-server <IP:port>
That sets up the connection between the two hosts.
But I suggest you read up on the docs, there is a 'tutorial' section that will cover the basics, and a 'distributed deployment' section that will cover forwarding. There is also a 'getting data in' section with detailed 'recipies' for various scenarios.
http://docs.splunk.com/Documentation/Splunk/latest/Tutorial/WelcometotheSplunkTutorial
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Distributedoverview
http://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkcanmonitor
Hope this helps,
K