About forwarding and receiving data
You can forward data to Splunk Enterprise and Splunk Cloud Platform deployments as well as to systems that don't run the Splunk platform.
A Splunk instance that receives data from one or more forwarders is called a receiver. The receiver is usually a Splunk indexer, but can also be another forwarder.
The Forwarding Data Manual has more information about forwarding and receiving data with heavy and light forwarders.
Sample forwarding layout
This diagram shows three universal forwarders sending data to a single receiver (an indexer), which then indexes the data and makes it available for searching. This layout is basic, but you can define many forwarding combinations based on your specific environment and network topology.
Forwarders represent a much more robust solution for data forwarding than raw network feeds, with their capabilities for:
- Tagging of metadata (source, source type, and host)
- Configurable buffering
- Data compression
- SSL security
- Use of any available network ports
Use the universal forwarder to perform functions like data consolidation and load balancing.
| Universal forwarder system requirements |
This documentation applies to the following versions of Splunk® Universal Forwarder: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3
Download manual
Feedback submitted, thanks!