In splunk , we generally use two type Forwarder:
Universal Forwarder (Light Forwarder):
Splunk “agent” installed on non-Splunk system to gather data locally, can’t parse or index by design
Smallest possible hardware footprint — designed to be installed
on production systems
“Heavy” Forwarder:
Splunk instance that gathers data, parses it, and forwards it on to an indexer – no data written to disk
Generally works as a remote collector, intermediate forwarder, and possible data filter because they parse data, they are not recommended for production systems
About license in enterprise environment : you can get here more details
... View more