A forwarder is any Splunk Enterprise instance that forwards data to another Splunk Enterprise instance, such as:
An Indexer
Another forwarder
A third-party system (heavy forwaders only)
Splunk Enterprise has three types of forwarders:
A universal forwarder contains only the components required for forwarding data, nothing more, nothing less. In general, it is the best tool for sending data to indexers.
A heavy forwarder is a full Splunk Enterprise instance that can index, search, change and forward data. Certain features from a full Splunk Enterprise instance are disabled in order to reduce system resource use.
A light forwarder is also a full Splunk Enterprise instance, with even more features disabled to achieve as small a resource footprint as possible. Deprecated as of Splunk Enterprise version 6.0, the light forwarder is replaced by the universal forwarder for almost all purposes.
A universal forwarder collects data from a variety of places — whether data sources or other forwarders — and then sends it to a forwarder or a Splunk deployment. So, what can you do with universal forwarders? Capabilities include:
Tagging metadata (source, source type and host)
Configuring buffering
Compressing data
Securing via SSL
Using any available network ports
The primary benefits of universal forwarders include reliability, security and broad platform support. You can easily install Splunk Universal Forwarders on a variety of diverse computing platforms and architectures.
Perhaps the biggest benefit is the scalability of our universal forwarders. Because they use significantly less hardware resources than other Splunk products, you can install literally thousands of them without a loss in network and host performance or cost. Part of its low resource usage is because the forwarder does not have a user interface.
In fact, universal forwarders can scale to tens of thousands of remote systems — making it a breeze to collect terabytes of data.
references:
https://www.splunk.com/en_us/blog/learn/splunk-universal-forwarder.html
No comments:
Post a Comment