Documentation > Splexicon > Heavyforwarder

heavy forwarder

noun

A type of forwarder, a Splunk instance that forwards data to another Splunk server or a third-party system.

A heavy forwarder has a smaller footprint than a Splunk indexer but retains most of the capability, except that it lacks the ability to perform distributed searches. Much of its default functionality, such as Splunk Web, can be disabled to reduce the size of its footprint.

Unlike other types of forwarders, a heavy forwarder parses data before forwarding it and can route data based on criteria such as source or type of event. It can also index data locally while forwarding the data to another Splunk indexer.

Besides the heavy forwarder, there are two other types of forwarders:

In nearly all respects, the universal forwarder represents the best tool for forwarding data to indexers. Its main limitation is that it forwards only unparsed data. Therefore, you cannot use it to route data based on event contents. For that, you must use a heavy forwarder.

Related terms

For more information

In the Distributed Deployment Manual:

Retrieved from "http://docs.splunk.com/Splexicon:Heavyforwarder"

*

A

B

C

D

E

F

G

H

I

J

K

L

M

N

P

R

S

T

U

V

W

Splunk

licensing

Splunk Enterprise, Splunk Enterprise trial
Splunk Free
license entitlement

Splunk services

Splunk Education
Splunk Support: Global, Enterprise, Community

Splunk server

splunkd: CLI, command line tool
Splunk Web: view, dashboard, panel, search view, Manager
app: SplunkBase, Search app, view, panel, add-on, suite


solutions

solution

suite

Enterprise Security suite
PCI Compliance suite

app

Splunk for Windows
Splunk for Unix and Linux
Splunk for Blue Coat
Splunk for F5

add-on

deployment

deployment server

deployment client, server class, multi-tenant environment

load balancing

automatic load balancing, round-robin data balancing

distributed search

search head, indexer node

forwarder

light forwarder
forwarding license
receiver

data routing

conditional routing
indexQueue, parsingQueue, nullQueue
target group, default group

troubleshooting

command line tool


search

Search app

timeline, time range picker
field picker
Report Builder

Splunk search language

command transforming command punct, pipe operator
subsearch, search macro
search assistant

search timeline

finalize, send to background

search result

event, field, timestamp
report, chart

form search

search job

knowledge management

knowledge

knowledge object

field extraction, field transform, tag, transaction, workflow action, lookup, saved search, event type, search command

Manager

permissions

field

default field: host, source, source type, punct indexed field
search field
internal field
extracted field
multivalue field
field picker
alias

field extraction

index-time, search-time
interactive field extractor (IFX)

event

event data
event processing
multiline event

event type

event type builder
event type finder

transaction

transaction type

tag

alias

lookup

workflow action

event workflow

saved search

navigation menu

summary index

alert

basic conditional alert, advanced conditional alert

scheduled search

scheduler

PDF server

report

Report Builder

chart

stack mode

dashboard

module, panel, view
visual dashboard editor
view XML

PDF server

configuration

configuration file

data input

scripted input

data filtering

blacklist, whitelist

monitor

file system change monitor

syslog

event processing

character set encoding

segmentation

segment

timestamping

timestamp, timezone offset

default field extraction

host, source, source type, punct


indexing

index

bucket

index time

indexed field

summary index

security

scripted authentication

auditing

audit event, audit index

roles

role-based access control (RBAC)
permissions


archiving

retention time

development

app

App Builder
app template

add-on

dashboard

visual dashboard editor
panel

module

view, flash timeline view
intention

event renderer

SplunkBase

REST

REST API, REST endpoint