Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

difference between heavy forwarder and universal forwarder

sonusngh68
New Member
‎03-13-2018 03:40 PM

Can somebody briefly explain difference between Universal Forwarder and Heavy Forwarder?

Also is it possible that we can use Heavy Forwarder to forward, parse and index data without Indexer?

Tags (1)
0 Karma
Reply

deepashri_123
Motivator
‎03-13-2018 10:35 PM

Heu sonushgh68,

You can refer this doc and also this accepted answer in splunk for your reference:
http://docs.splunk.com/Documentation/SplunkCloud/7.0.0/Forwarding/Typesofforwarders
https://answers.splunk.com/answers/317035/indexer-and-heavy-forwarder-in-once.html

Let me know if this helps!!

0 Karma
Reply

tiagofbmm
Influencer
‎03-13-2018 06:03 PM

Hi

A Universal Forwarder has no capability to parse data some metadata stamping on the events.

A Heavy Forwarder is a full Splunk Instance with all the capabilities of Splunk Enterprise. You can simultaneously use a Heavy Forwarder to send data (just like a Universal Forwarder does) and also parse and Index data.

Note one thing: when data goes through the parsing pipeline in a Heavy Forwarder, either it is indexed or it is sent already processed. On the contrary, data coming out of a Universal Forwarder goes in blocks, meaning it hasn't been "cooked" (line breaking, line merging, truncating etc).

Reply

tiagofbmm
Influencer
‎03-21-2018 10:05 AM

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

0 Karma
Reply

SamHTexas
Builder
‎01-11-2022 09:23 AM

Hello  sir, do you by any chance know how to set up Alerts for a few Heavy Forwarders we have to notify us when the rate of output / sending data decreases below a certain level like 15% of the daily total? Thank u in advance.

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...