Introducing the universal forwarder
This section of the Distributed Deployment manual describes how to deploy the universal forwarder for a variety of systems and needs. For information on the different kinds of forwarders and detailed information on configuring them for a range of topologies and use cases, see the "Forward data" chapter of this manual.
The universal forwarder replaces the light forwarder.
Note: The universal forwarder is a separate executable from Splunk. Instances of Splunk and the universal forwarder can co-exist on the same system.
For information on deploying the universal forwarder, see "Universal forwarder deployment overview".
How universal forwarder compares to full Splunk
The universal forwarder's sole purpose is to forward data. Unlike a full Splunk instance, you cannot use the universal forwarder to index or search data. To achieve higher performance and a lighter footprint, it has several limitations:
- The universal forwarder has no searching, indexing, or alerting capability.
- The universal forwarder does not parse data.
- The universal forwarder does not output data via syslog.
- Unlike full Splunk, the universal forwarder does not include a bundled version of Python.
Scripted inputs and Python
Full Splunk comes bundled with Python. The universal forwarder does not. Therefore, if you're currently using scripted inputs with Python and you want to use those scripts with the universal forwarder, you must first install your own version of Python. If you have been using calls specific to Splunk's Python libraries, you cannot do so with the universal forwarder, since those libraries exist only in full Splunk. You may use other scripting languages for scripted inputs with the universal forwarder if they are otherwise supported on the target host (for example, Powershell on Windows Server 2008.)
How universal forwarder compares to the light forwarder
The universal forwarder is a streamlined, self-contained forwarder that includes only the essential components needed to forward data to Splunk indexers. The light forwarder, by contrast, is a full Splunk instance, with certain features disabled to achieve a smaller footprint. In all respects, the universal forwarder represents a better tool for forwarding data to indexers. When you install the universal forwarder, you can migrate from an existing light forwarder, version 4.0 or greater. See "Migrating from a light forwarder" for details.
Compared to the light forwarder, the universal forwarder provides a better performing and more streamlined solution to forwarding. These are the main technical differences between the universal forwarder and the light forwarder:
- The universal forwarder puts less load on the CPU, uses less memory, and has a smaller disk footprint.
- The universal forwarder has a default data transfer rate of 256Kbps
- The universal forwarder does not come bundled with Python.
- The universal forwarder is a forwarder only; it cannot be converted to a full Splunk instance.
For information on deploying the universal forwarder, see the topics that directly follow this one.
For information on using the universal forwarder to forward data and participate in various distributed topologies, see the topics in the "Forward data" section of this manual. Those topics also discuss light and heavy forwarders.
For information on third-party Windows binaries that the Windows version of the Splunk universal forwarder ships with, read "Information on Windows third-party binaries distributed with Splunk" in the Installation Manual.
For information about running the Splunk universal forwarder in Windows Safe Mode, read "Splunk Architecture and Processes" in the Installation Manual.
Forward data to third-party systems
Universal forwarder deployment overview
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16