Splunk® Universal Forwarder

Forwarder Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

About the universal forwarder

Universal forwarders stream data from your machine to a data receiver. Your receiver is usually a Splunk index where you store your Splunk data. You can use the universal forwarder to monitor your data in real time.

Use the universal forwarder to ensure that your data is correctly formatted before sending it to Splunk. You can also manipulate your data before it reaches the indexes or manually add the data.


The following diagram shows the most common configuration for the universal forwarder. 30 admin13 forwardreceive-dataforward 60.png

See Deploy the Universal Forwarder to create your configuration. See Advanced Universal Forwarder Configurations for examples of more advanced forwarder configurations.

Benefits of the Universal Forwarder

Universal forwarders provide the following benefits:

  • They are highly scalable
  • They use significantly less hardware resources than other Splunk products
  • You can install thousands of them without impacting network performance and cost
  • The universal forwarder does not have a user interface, which helps minimize resource use

Forwarders provide the following capabilities:

  • Metadata tagging, including source, source type, and host.
  • Configurable buffering
  • Data compression
  • SSL security
  • Use of any available network ports
Last modified on 04 October, 2023
  NEXT
Universal forwarder prerequisites

This documentation applies to the following versions of Splunk® Universal Forwarder: 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters