Splunk® Universal Forwarder

Forwarder Manual

Advanced configurations for the universal forwarder

See the following Universal Forwarder advanced setup examples:

Load balancing

During load balancing, a forwarder distributes data across several receiving instances. Each receiver gets a portion of the total data, and together the receivers hold all the data. If a host goes down, the forwarder sends data to the next available receiver. Forwarders perform load balancing automatically. See Set up load balancing in the Forwarding Data manual.

The forwarder routes data to different indexers on a specified time or volume interval that you can specify. For example, if you have a load-balanced group that consists of indexer A, B, and C, at a specified interval, the forwarder switches the data stream to another indexer in the group at random. The forwarder might switch from indexer B to indexer A to indexer C, and so on. If one indexer is down, the forwarder immediately switches to another.

30 admin13 forwardreceive-balance 60.png

Distributed deployment

In a distributed deployment, the indexing logic and the data search logic are separated. It has both an indexer getting data from several inputs, and a search head, which searches across all the data found in this indexer. This is a great option if your daily data volume exceeds the capacity of a single-server deployment, or you want highly available data ingest. See Scale your deployment with Splunk Enterprise components in the Distributed Deployment Manual.

Screen Shot 2021-11-23 at 10.11.58 AM.png

Distributed clustered deployment

This setup includes Indexer clustering with an appropriately configured data replication policy. In addition to being distributed, you combine multiple indexers to form an indexer cluster. This configuration keeps multiple copies of your data, increasing protection from data loss and availability of data. See Scale your deployment with Splunk Enterprise components in the Distributed Deployment Manual.

Screen Shot 2021-11-23 at 10.36.37 AM.png

For more examples of advanced configurations, see https://www.splunk.com/pdfs/technical-briefs/splunk-validated-architectures.pdf for detailed information on advanced Universal Forwarder setups.

Last modified on 04 April, 2022
How to forward data to Splunk Cloud Platform   About management mode for the universal forwarder

This documentation applies to the following versions of Splunk® Universal Forwarder: 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters