Universal forwarder deployment overview
This topic provides a high-level guidance on how to plan and execute the deployment of the universal forwarder.
Before attempting to deploy the universal forwarder, you should plan the deployment and familiarize yourself with how forwarding works. See:
- "About forwarding and receiving" for an overview of forwarding and forwarders.
- "Forwarder deployment topologies" to learn about common forwarder deployment scenarios.
Types of deployments
You can perform many types of deployments with the universal forwarding, depending on your specific needs:
- You can deploy a Windows universal forwarder manually, either with the installer GUI or from the command line.
- You can deploy a *nix universal forwarder manually, using the CLI to configure it.
- You can remotely deploy a universal forwarder (Windows or nix).
- You can make the universal forwarder part of a system image.
Note: The universal forwarder is its own downloadable executable, separate from full Splunk Enterprise. Unlike the light and heavy forwarders, you do not enable it from a full Splunk Enterprise instance.
Steps to deployment
The actual procedure varies depending on the type of deployment, but these are the typical steps:
1. Plan your deployment.
2. Download the universal forwarder from http://www.splunk.com/download/universalforwarder
3. Install the universal forwarder on a test machine.
4. Perform any post-installation configuration.
5. Test and tune the deployment.
6. Deploy the universal forwarder to machines across your environment (for multi-machine deployments).
These steps are described below in more detail.
Important: Installing your forwarders is just one step in the overall process of setting up forwarding and receiving. For an overview of that process, see "Install the universal forwarder software".
Plan your deployment
Here are some of the issues to consider when planning your deployment:
- How many (and what type of) machines will you be deploying to?
- Will you be deploying across multiple OSs?
- Do you need to migrate from any existing forwarders?
- What, if any, deployment tools do you plan to use?
- Will you be deploying via a system image or virtual machine?
- Will you be deploying fully configured universal forwarders, or do you plan to complete the configuration after the universal forwarders have been deployed across your system?
- What level of security does the communication between universal forwarder and indexer require?
Install, test, configure, deploy
For next steps, see the topic in this chapter that matches your deployment requirements most closely. Each topic contains one or more use cases that cover specific deployment scenarios from installation through configuration and deployment:
Note: The universal forwarder's executable is named
splunkd, the same as the executable for full Splunk Enterprise. The service name is
Compatibility between forwarders and indexers
Enable a receiver
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0