Deployment Architecture

What is the best way to setup forwarding?

New Member

First time Newbie. I have 2 VMs running RHEL 7.4. Both are running the Splunk app. 1 is set for forwarding and 1 for receiving from within the app under "Settings". It looks like it's working but I also see references to Universal Forwarders. What is the best way to go? This is just for learning purposes.


Mike Murphy

0 Karma


The remote server that is forwarding data should have a Universal Forwarder installed and the server that is receiving the data should have a full Splunk Enterprise install

Here's info for the Universal Forwarder

0 Karma

Splunk Employee
Splunk Employee

To build on this, while "best" is an "it depends" provoking question, I want to share with you that when I first started playing with Splunk, I also started with the classic full Splunk Enterprise install. Only after learning more and understanding the differences in forwarder types was I able to make a more informed choice to switch to the Universal Forwarder.

So, there's nothing "wrong" with what you're doing. I suggest, as you get more comfortable, read some of this material to learn more about the choices you are able to make, should you choose to make them.

Also, take a peek at the system requirements for Splunk on VMs. Those VMs are probably fine to play with but there's things to consider and min specs to get to when it's time to party in production.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...