Splunk® Universal Forwarder

Forwarder Manual

This documentation does not apply to the most recent version of Splunk® Universal Forwarder. For documentation on the most recent version, go to the latest release.

About forwarding and receiving data

You can forward data to Splunk Enterprise, Splunk Light, and Splunk Cloud Platform deployments as well as to systems that don't run the Splunk platform.

A Splunk instance that receives data from one or more forwarders is called a receiver. The receiver is usually a Splunk indexer, but can also be another forwarder.

The Forwarding Data Manual has more information about forwarding and receiving data with heavy and light forwarders.

Sample forwarding layout

This diagram shows three universal forwarders sending data to a single receiver (an indexer), which then indexes the data and makes it available for searching. This layout is basic, but you can define many forwarding combinations based on your specific environment and network topology.

30 admin13 forwardreceive-dataforward 60.png

Forwarders represent a much more robust solution for data forwarding than raw network feeds, with their capabilities for:

  • Tagging of metadata (source, source type, and host)
  • Configurable buffering
  • Data compression
  • SSL security
  • Use of any available network ports

Use the universal forwarder to perform functions like data consolidation and load balancing.

Last modified on 29 March, 2022
  Universal forwarder system requirements

This documentation applies to the following versions of Splunk® Universal Forwarder: 8.2.3.1, 8.2.4, 8.2.5


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters