Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

differences between forwarders?

a212830
Champion
‎05-30-2012 07:58 AM

Hi,

Can someone explain to me the difference between the light/universal/heavy forwarders? Where can I download the light forwarder? I only see universal forwarder in the download section.

Tags (1)
0 Karma
Reply

jhallur_splunk
Splunk Employee
Splunk Employee
‎02-04-2014 11:37 AM

-- Heavy Forwarder (HF)
The through put is 4 times of the input stream, hence loads the indexer processes. Heavy forwarder are useful if you want to filter out unwanted data ( > 25% of the input data), hence you save the cost for the less indexing volume. Use Splunk Enterprise for HF configuration. HF can index the data (not preferable since it downgrade the performance) and forward to Indexer. To process Real time events, indexer must be disabled for real time processing.

--- Light Weight and Universal forwarder
Both are same. The number of processes running and through put is same. The only difference is UF doesn't come with Python package. So if you want to collect the data from python script in UF and forward to Indexer, then you have manually install the python. There is separate installer for UF where is LF can use the splunk enterprise installer by enabling the LF option. LF and UF doesn't index the data andt extracting few parameters from input stream such as host, source & sourcetype.

Small note: In upcoming splunk release (mostly by 6.0.3 or next one), Heavy Forwarder throughput will be optimized and after that LF will not be supported officially.

If you like the answer, please vote.

Regards,
Jayanna Hallur,
Wipro Technologies, Mountain View, California.

Reply

ogdin
Splunk Employee
Splunk Employee
‎02-05-2014 09:59 AM

"Small note: In upcoming splunk release (mostly by 6.0.3 or next one), Heavy Forwarder throughput will be optimized and after that LF will not be supported officially."

The Light Weight Forwarder aka the SplunkLightForwarder app that ships with Splunk Enterprise has been deprecated as of Splunk 6 but we have made no decision on a release for removing the app (or support for the app) and the replacement of this capability, essentially a Splunk Forwarder + Python package and the delivery of this package has not been finalized either.

Splunk Product Management

Reply

dshpritz
SplunkTrust
SplunkTrust
‎05-30-2012 08:05 AM

The light forwarder is not a separate download. You use the same full version of Splunk (not the Universal Forwarder) and enable the SplunkLightForwarder app.

More on setting up a light forwarder:

http://docs.splunk.com/Documentation/Splunk/6.0.1/Forwarding/Deployaforwarder

Info on the types of forwarders:

http://docs.splunk.com/Documentation/Splunk/6.0.1/Forwarding/Typesofforwarders

The big reason that you might want to use the LightForwarder vs a UniversalForwarder, in my experience, is if you have Python based scripted inputs which you would like to use.

HTH,

Dave

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎05-30-2012 08:02 AM

Here's an overview. The LWF has been replaced with the UF for Splunk 4.2 and later. The HF will be the full splunk download just like you use for your core indexer/Search Head server.

http://docs.splunk.com/Documentation/Splunk/6.0.1/Forwarding/Typesofforwarders

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...