Splunk® Enterprise

Forwarding Data

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Universal forwarder deployment overview

This topic provides a high-level guidance on how to plan and execute the deployment of the universal forwarder.

Before attempting to deploy the universal forwarder, you should plan the deployment and familiarize yourself with how forwarding works. See:

Types of deployments

You can perform many types of deployments with the universal forwarding, depending on your specific needs:

Note: The universal forwarder is its own downloadable executable, separate from full Splunk Enterprise. Unlike the light and heavy forwarders, you do not enable it from a full Splunk Enterprise instance.

Steps to deployment

The actual procedure varies depending on the type of deployment, but these are the typical steps:

1. Plan your deployment.

2. Download the universal forwarder from http://www.splunk.com/download/universalforwarder

3. Install the universal forwarder on a test machine.

4. Perform any post-installation configuration.

5. Test and tune the deployment.

6. Deploy the universal forwarder to machines across your environment (for multi-machine deployments).

These steps are described below in more detail.

Important: Installing your forwarders is just one step in the overall process of setting up forwarding and receiving. For an overview of that process, see "Install the universal forwarder software".

Plan your deployment

Here are some of the issues to consider when planning your deployment:

  • How many (and what type of) machines will you be deploying to?
  • Will you be deploying across multiple OSs?
  • Do you need to migrate from any existing forwarders?
  • What, if any, deployment tools do you plan to use?
  • Will you be deploying via a system image or virtual machine?
  • Will you be deploying fully configured universal forwarders, or do you plan to complete the configuration after the universal forwarders have been deployed across your system?
  • What level of security does the communication between universal forwarder and indexer require?

Install, test, configure, deploy

For next steps, see the topic in this chapter that matches your deployment requirements most closely. Each topic contains one or more use cases that cover specific deployment scenarios from installation through configuration and deployment:

Note: The universal forwarder's executable is named splunkd, the same as the executable for full Splunk Enterprise. The service name is SplunkUniversalForwarder.

Last modified on 09 October, 2015
Compatibility between forwarders and indexers
Enable a receiver

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters