About the universal forwarder
Universal forwarders stream data from your machine to a data receiver. This receiver is usually a Splunk index where you store your Splunk data. Universal forwarder streaming lets you monitor data in real time.
The universal forwarder also ensures the that your data is correctly formatted before sending it to Splunk. You can also manipulate your data before it reaches the indexes or manually add the data. See the following example diagram:
This is the most common configuration for the universal forwarder. See Deploy the Universal Forwarder to create this configuration. See Advanced Universal Forwarder Configurations for examples of more advanced forwarder configurations.
Benefits of the Universal Forwarder
Universal forwarders are highly scalable. Universal Forwarders use significantly less hardware resources than other Splunk products. You can install thousands of them without impacting network performance and cost. The universal forwarder does not have a user interface, which helps minimize resource use.
Forwarders provide the following capabilities:
- metadata tagging, including source, source type, and host.
- configurable buffering
- data compression
- SSL security
- Use of any available network ports
Compatibility between forwarders and Splunk Enterprise indexers
This documentation applies to the following versions of Splunk® Universal Forwarder: 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.1.0, 9.1.1