Introducing the universal forwarder
The universal forwarder is a streamlined, dedicated version of Splunk Enterprise that contains only the essential components needed to forward data to receivers. Use the universal forwarder to gather data from a variety of inputs and forward the data to a Splunk Enterprise server for indexing and searching.
This section of the Distributed Deployment manual describes how to deploy the universal forwarder for a variety of systems and needs. For information on the different kinds of forwarders and detailed information on configuring them for a range of topologies and use cases, see the "Forward data" chapter of this manual.
The universal forwarder replaces the light forwarder.
Note: The universal forwarder is a separate executable from full Splunk Enterprise. Instances of full Splunk Enterprise and the universal forwarder can co-exist on the same system.
For information on deploying the universal forwarder, see "Universal forwarder deployment overview".
How universal forwarder compares to full Splunk Enterprise
The universal forwarder's sole purpose is to forward data. Unlike a full Splunk Enterprise instance, you cannot use the universal forwarder to index or search data. To achieve higher performance and a lighter footprint, it has several limitations:
- The universal forwarder has no searching, indexing, or alerting capability.
- The universal forwarder does not parse data, except in certain cases.
- The universal forwarder does not output data via syslog.
- Unlike full Splunk Enterprise, the universal forwarder does not include a bundled version of Python.
Scripted inputs and Python
Full Splunk Enterprise comes bundled with Python. The universal forwarder does not. Therefore, if you're currently using scripted inputs with Python and you want to use those scripts with the universal forwarder, you must first install your own version of Python. If you have been using calls specific to Splunk's Python libraries, you cannot do so with the universal forwarder, because those libraries exist only in full Splunk Enterprise. You may use other scripting languages for scripted inputs with the universal forwarder if they are otherwise supported on the target host (for example, Powershell on Windows Server 2008.)
How universal forwarder compares to the light forwarder
The universal forwarder is a streamlined, self-contained forwarder that includes only the essential components needed to forward data to other Splunk Enterprise instances. The light forwarder, by contrast, is a full Splunk Enterprise instance, with certain features disabled to achieve a smaller footprint. In all respects, the universal forwarder represents a better tool for forwarding data to indexers. When you install the universal forwarder, you can migrate from an existing light forwarder, version 4.0 or greater. See "Migrating from a light forwarder" for details.
Compared to the light forwarder, the universal forwarder provides a better performing and more streamlined solution to forwarding. These are the main technical differences between the universal forwarder and the light forwarder:
- The universal forwarder puts less load on the CPU, uses less memory, and has a smaller disk footprint.
- The universal forwarder has a default data transfer rate of 256Kbps
- The universal forwarder does not come bundled with Python.
- The universal forwarder is a forwarder only; it cannot be converted to a full Splunk Enterprise instance.
Note: The light forwarder has been deprecated in Splunk Enterprise version 6.0. For a list of all deprecated features, see the topic "Deprecated features" in the Release Notes.
For information on deploying the universal forwarder, see the topics that directly follow this one.
For information on using the universal forwarder to forward data and participate in various distributed topologies, see the topics in the "Overview" chapter of this manual. Those topics also discuss light and heavy forwarders.
For information on third-party Windows binaries that the Windows version of the Splunk Enterprise universal forwarder ships with, read "Information on Windows third-party binaries distributed with Splunk Enterprise" in the Installation Manual.
For information about running the universal forwarder in Windows Safe Mode, read "Splunk Enterprise Architecture and Processes" in the Installation Manual.
Set up load balancing
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15