Splunk® Universal Forwarder

Forwarder Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

About the universal forwarder

Universal Forwarders stream data from your machine to a data receiver. Usually, the receiver is a Splunk index, where you store your Splunk data. This streaming ability allows you to monitor data in real time. It also ensures the correct formatting of your data for Splunk to properly receive it.

If you want to manipulate your data before they reach the indexes, or you do not want to manually put the data in the indexes yourself, you use a universal forwarder. See the following example diagram:

30 admin13 forwardreceive-dataforward 60.png

This is the most common configuration for the universal forwarder. See Deploy the Universal Forwarder to create this configuration. See Advanced Universal Forwarder Configurations for examples of more advanced forwarder configurations.

Benefits of the Universal Forwarder

Universal forwarders are highly scalable. You can install thousands of them without a strong impact on network and cost performance. Additionally, Universal Forwarders use significantly less hardware resources than other Splunk products. To keep it this way, it lacks a user interface.

Forwarders allow the following capabilities:

  • Tagging of metadata (source, source type, and host)
  • configurable buffering
  • Data compression
  • SSL security
  • Use of any available network ports
Last modified on 16 May, 2022
  NEXT
Universal forwarder prerequisites

This documentation applies to the following versions of Splunk® Universal Forwarder: 8.2.6

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters