Splunk® Enterprise

Distributed Deployment Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Introducing the universal forwarder

The universal forwarder is Splunk's new lightweight forwarder. Use the universal forwarder to gather data from a variety of inputs and forward the data to a Splunk server for indexing and searching.

This section of the Distributed Deployment manual describes how to deploy the universal forwarder for a variety of systems and needs. For information on the different kinds of forwarders and detailed information on configuring them for a range of topologies and use cases, see the "Forward data" chapter of this manual.

The universal forwarder replaces the light forwarder.

Note: The universal forwarder is a separate executable from Splunk. Instances of Splunk and the universal forwarder can co-exist on the same system.

For information on deploying the universal forwarder, see "Universal forwarder deployment overview".

How universal forwarder compares to full Splunk

The universal forwarder's sole purpose is to forward data. Unlike a full Splunk instance, you cannot use the universal forwarder to index or search data. To achieve higher performance and a lighter footprint, it has several limitations:

  • The universal forwarder has no searching, indexing, or alerting capability.
  • The universal forwarder does not parse data.
  • The universal forwarder does not output data via syslog.
  • Unlike full Splunk, the universal forwarder does not include a bundled version of Python.

Scripted inputs and Python

Full Splunk comes bundled with Python. The universal forwarder does not. Therefore, if you're currently using scripted inputs with Python and you want to use those scripts with the universal forwarder, you must first install your own version of Python. If you have been using calls specific to Splunk's Python libraries, you cannot do so with the universal forwarder, since those libraries exist only in full Splunk. You may use other scripting languages for scripted inputs with the universal forwarder if they are otherwise supported on the target host (for example, Powershell on Windows Server 2008.)

How universal forwarder compares to the light forwarder

The universal forwarder is a streamlined, self-contained forwarder that includes only the essential components needed to forward data to Splunk indexers. The light forwarder, by contrast, is a full Splunk instance, with certain features disabled to achieve a smaller footprint. In all respects, the universal forwarder represents a better tool for forwarding data to indexers. When you install the universal forwarder, you can migrate from an existing light forwarder, version 4.0 or greater. See "Migrating from a light forwarder" for details.

Compared to the light forwarder, the universal forwarder provides a better performing and more streamlined solution to forwarding. These are the main technical differences between the universal forwarder and the light forwarder:

  • The universal forwarder puts less load on the CPU, uses less memory, and has a smaller disk footprint.
  • The universal forwarder has a default data transfer rate of 256Kbps
  • The universal forwarder does not come bundled with Python.
  • The universal forwarder is a forwarder only; it cannot be converted to a full Splunk instance.

Read on!

For information on deploying the universal forwarder, see the topics that directly follow this one.

For information on using the universal forwarder to forward data and participate in various distributed topologies, see the topics in the "Forward data" section of this manual. Those topics also discuss light and heavy forwarders.

For information on third-party Windows binaries that the Windows version of the Splunk universal forwarder ships with, read "Information on Windows third-party binaries distributed with Splunk" in the Installation Manual.

For information about running the Splunk universal forwarder in Windows Safe Mode, read "Splunk Architecture and Processes" in the Installation Manual.

Forward data to third-party systems
Universal forwarder deployment overview

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16


Omnilink - no. nullQueueing takes place during the parsing phase, which can only happen on an Indexer or a Heavy Forwarder.<br /><br />http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

April 14, 2013

Can I forward some events to NullQueue with the Universal forwarder?

January 23, 2013

Rkiefer - It ships with a pre-installed license. See<br /><br />http://docs.splunk.com/Documentation/Splunk/latestDeploy/Deploymentoverview#Licensing_requirements<br /><br />and<br /><br />http://docs.splunk.com/Documentation/Splunk/latest/Admin/TypesofSplunklicenses#Forwarder_license

Sgoodman, Splunker
April 24, 2012

Does the Universal Forwarder have any special licensing needs?

April 24, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters