Advanced configurations for the universal forwarder
See the following Universal Forwarder advanced setup examples:
During load balancing, a forwarder distributes data across several receiving instances. Each receiver gets a portion of the total data, and together the receivers hold all the data. If a host goes down, the forwarder sends data to the next available receiver. Forwarders perform load balancing automatically. See Set up load balancing in the Forwarding Data manual.
The forwarder routes data to different indexers on a specified time or volume interval that you can specify. For example, if you have a load-balanced group that consists of indexer A, B, and C, at a specified interval, the forwarder switches the data stream to another indexer in the group at random. The forwarder might switch from indexer B to indexer A to indexer C, and so on. If one indexer is down, the forwarder immediately switches to another.
In a distributed deployment, the indexing logic and the data search logic are separated. It has both an indexer getting data from several inputs, and a search head, which searches across all the data found in this indexer. This is a great option if your daily data volume exceeds the capacity of a single-server deployment, or you want highly available data ingest. See Scale your deployment with Splunk Enterprise components in the Distributed Deployment Manual.
Distributed clustered deployment
This setup includes Indexer clustering with an appropriately configured data replication policy. In addition to being distributed, you combine multiple indexers to form an indexer cluster. This configuration keeps multiple copies of your data, increasing protection from data loss and availability of data. See Scale your deployment with Splunk Enterprise components in the Distributed Deployment Manual.
For more examples of advanced configurations, see https://www.splunk.com/pdfs/technical-briefs/splunk-validated-architectures.pdf for detailed information on advanced Universal Forwarder setups.
How to forward data to Splunk Cloud Platform
Secure your Linux universal forwarder with a least-privileged user
This documentation applies to the following versions of Splunk® Universal Forwarder: 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.1.0, 9.1.1, 9.1.2