About the universal forwarder
Universal forwarders stream data from your machine to a data receiver. Your receiver is usually a Splunk platform index where you store your data. You can use the universal forwarder to monitor your data in real time.
Use the universal forwarder to ensure that your data is correctly formatted before sending it to Splunk. You can also manipulate your data before it reaches the indexes or manually add the data.
Benefits of the universal forwarder
Universal forwarders provide the following benefits:
- They are highly scalable
- They use significantly less hardware resources than other Splunk products
- You can install thousands of them without impacting network performance and cost
- The universal forwarder does not have a user interface, which helps minimize resource use
In general, forwarders provide the following capabilities:
- Metadata tagging, including source, source type, and host
- Configurable buffering
- Data compression
- SSL security
- Use of any available network ports
Configuring the universal forwarder
The following diagram shows the most common configuration for the universal forwarder.
See Deploy the universal forwarder to create your configuration. See Advanced configurations for the universal forwarder for examples of more advanced forwarder configurations.
| Compatibility between forwarders and Splunk Enterprise indexers |
This documentation applies to the following versions of Splunk® Universal Forwarder: 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1
Download manual
Feedback submitted, thanks!