The universal forwarder
The universal forwarder is a separate Splunk Enterprise executable whose sole purpose is to send data from a host or other forwarder to a Splunk Enterprise indexer.The universal forwarder replaces the Splunk Enterprise light forwarder. Instances of full Splunk Enterprise and the universal forwarder can co-exist on the same system.
For information on deploying the universal forwarder, see "Universal forwarder deployment overview".
How universal forwarder compares to full Splunk Enterprise
The universal forwarder only forwards data. Unlike a full Splunk Enterprise instance, it cannot index or search data. To achieve higher performance and a lighter footprint, it has several limitations:
- The universal forwarder has no searching, indexing, or alerting capability.
- The universal forwarder does not parse data, except in certain cases.
- The universal forwarder does not output data via syslog.
- Unlike full Splunk Enterprise, the universal forwarder does not include a bundled version of Python.
Scripted inputs and Python
Full Splunk Enterprise comes bundled with Python. The universal forwarder does not. Therefore, if you use scripted inputs with Python and you want to use those scripts with the universal forwarder, you must first install your own version of Python. If you have been using calls specific to Splunk Python libraries, you cannot with the universal forwarder, because those libraries exist only in full Splunk Enterprise. You may use other scripting languages for scripted inputs with the universal forwarder if the target host supports them (for example, PowerShell on Windows Server.)
How universal forwarder compares to the light forwarder
The universal forwarder includes only the essential components needed to forward data to other Splunk Enterprise instances. The light forwarder, by contrast, is a full Splunk Enterprise instance, with certain features disabled to achieve a smaller resource footprint. In all respects, the universal forwarder represents a better tool for forwarding data to indexers.
When you install the universal forwarder, you can migrate from an existing light forwarder that runs version 4.0 or greater. See "Migrate from a light forwarder" for details.
Compared to the light forwarder, the universal forwarder provides a better performing solution to forwarding. These are the main performance differences between the universal forwarder and the light forwarder:
- The universal forwarder puts less load on the CPU, uses less memory, and has a smaller disk footprint.
- The universal forwarder has a default data transfer rate of 256Kbps.
- The universal forwarder cannot be converted to a full Splunk Enterprise instance.
Note: The light forwarder has been deprecated in Splunk Enterprise version 6.0. For a list of all deprecated features, see "Deprecated features" in the Release Notes.
For information on deploying the universal forwarder, see the topics that directly follow this one.
For information on third-party Windows binaries that the Windows version of the Splunk Enterprise universal forwarder ships with, read "Information on Windows third-party binaries distributed with Splunk Enterprise" in the Installation Manual.
For information about running the universal forwarder in Windows Safe Mode, read "Splunk Enterprise Architecture and Processes" in the Installation Manual.
Types of forwarders
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0