Splunk® Enterprise

Forwarding Data

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

The universal forwarder

The universal forwarder is a separate Splunk Enterprise executable whose sole purpose is to send data from a host or other forwarder to a Splunk Enterprise indexer.The universal forwarder replaces the Splunk Enterprise light forwarder. Instances of full Splunk Enterprise and the universal forwarder can co-exist on the same system.

For information on deploying the universal forwarder, see "Universal forwarder deployment overview".

How universal forwarder compares to full Splunk Enterprise

The universal forwarder only forwards data. Unlike a full Splunk Enterprise instance, it cannot index or search data. To achieve higher performance and a lighter footprint, it has several limitations:

  • The universal forwarder has no searching, indexing, or alerting capability.
  • The universal forwarder does not parse data, except in certain cases.
  • The universal forwarder does not output data via syslog.
  • Unlike full Splunk Enterprise, the universal forwarder does not include a bundled version of Python.

Scripted inputs and Python

Full Splunk Enterprise comes bundled with Python. The universal forwarder does not. Therefore, if you use scripted inputs with Python and you want to use those scripts with the universal forwarder, you must first install your own version of Python. If you have been using calls specific to Splunk Python libraries, you cannot with the universal forwarder, because those libraries exist only in full Splunk Enterprise. You may use other scripting languages for scripted inputs with the universal forwarder if the target host supports them (for example, PowerShell on Windows Server.)

How universal forwarder compares to the light forwarder

The universal forwarder includes only the essential components needed to forward data to other Splunk Enterprise instances. The light forwarder, by contrast, is a full Splunk Enterprise instance, with certain features disabled to achieve a smaller resource footprint. In all respects, the universal forwarder represents a better tool for forwarding data to indexers.

When you install the universal forwarder, you can migrate from an existing light forwarder that runs version 4.0 or greater. See "Migrate from a light forwarder" for details.

Compared to the light forwarder, the universal forwarder provides a better performing solution to forwarding. These are the main performance differences between the universal forwarder and the light forwarder:

  • The universal forwarder puts less load on the CPU, uses less memory, and has a smaller disk footprint.
  • The universal forwarder has a default data transfer rate of 256Kbps.
  • The universal forwarder cannot be converted to a full Splunk Enterprise instance.

Note: The light forwarder has been deprecated in Splunk Enterprise version 6.0. For a list of all deprecated features, see "Deprecated features" in the Release Notes.

Read on!

For information on deploying the universal forwarder, see the topics that directly follow this one.

For information on third-party Windows binaries that the Windows version of the Splunk Enterprise universal forwarder ships with, read "Information on Windows third-party binaries distributed with Splunk Enterprise" in the Installation Manual.

For information about running the universal forwarder in Windows Safe Mode, read "Splunk Enterprise Architecture and Processes" in the Installation Manual.

PREVIOUS
Types of forwarders
  NEXT
System requirements

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters