Is it necessary to install the universal forwarder on a Splunk indexer so that it can index its own information?
No it's not necessary to install the universal forwarder on a Splunk indexer to index its own Windows log files.
A universal forwarder performs only minimal processing. It does not examine the data stream, but it does tag the entire stream with
metadata to identify source, source type, and host. It also divides the data stream into 64K blocks and performs some rudimentary timestamping on the stream, for use by the receiving indexer in case the events themselves have no discernible timestamps. The universal forwarder does not identify, examine, or tag individual events. it has several limitations:
· The universal forwarder has no searching, indexing, or alerting capability.
· The universal forwarder does not parse data.
· The universal forwarder does not output data via syslog.
Unlike full Splunk Enterprise, the universal forwarder does not include a
bundled version of Python.
Important: Universal forwarders are not able to switch indexers when monitoring TCP network streams of data (including Syslog) unless an EOF is reached or an indexer goes down, at which point the forwarder will switch to the next indexer in the list. Because the universal forwarder does not parse the data and identify event boundaries before forwarding the data to the indexer (unlike a heavy
forwarder), it has no way of knowing when it's safe to switch to the next indexer unless it receives an EOF.
The Universal Forwarder can absolutely switch between indexers before it reaches EoF or end of stream. You just need to enable a parameter in the outputs.conf called forceTimebasedAutoLB=True
This will force the forwarder to break the connection and stream to a new indexer at the time period specified in the autoLBFrequency parameter.
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf
See this great blog post by Deep for more info: http://blogs.splunk.com/2014/03/18/time-based-load-balancing/
In a typical deployment, you dedicate some hardware to Splunk for indexing purposes, and then use a combination of universal forwarders and Windows Management Instrumentation (WMI) to collect data from other machines in the enterprise.
The universal forwarder is designed to share resources on computers that perform other roles, and does much of the work that an indexer can, at much less cost. So you don't need to install the universal forwarder on a Splunk indexer to index its own Windows log files.
Noumssi, Thanks for the detailed information. A couple of my Indexers have universal forwarders installed on them. I'm not sure if the previous administrator intentionally installed them or why, but, I'm guessing if they are not needed there would be no reason not to uninstall the universal forwarders from these indexers. Agree?
No. What type of information on that machine do you want to index?
Standard Windows log files...Security,event,Application. as per our company requirements
Okay, then you should be able to follow the docs directly for this: http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/HowtogetWindowsdataintoSplunk.