Splunk Tutorial 07: Different type of forwarders in Splunk

As mentioned from previous blogs, the third way on getting data into a Splunk instance  is using a Splunk forwarder. A forwarder, is an interface allowing system to forward logs or data into a Splunk instance that is installed in a different computer. It can be forwarding from one Splunk instance to another Splunk instance, or from a non-Splunk system to a Splunk instance from another computer.

There are three type of forwarders in Splunk:

  1. Universal Forwarder
  2. Heavy Forwarder
  3. Light Forwarder (Deprecated since Splunk Enterprise version 6.0)

 

[vtftable cols=”{0}0-1:cccccc;{/}”]
Type of Forwarder;;;Description;nn;
universal forwarder ;;;contains only the components that are necessary to forward data.;nn;
heavy forwarder;;;a full Splunk Enterprise instance that can index, search, and change data as well as forward it. The heavy forwarder has some features disabled to reduce system resource usage.;nn;
light forwarder ;;;is also a full Splunk Enterprise instance, with more features disabled to achieve as small a resource footprint as possible. The light forwarder has been deprecated as of Splunk Enterprise version 6.0. The universal forwarder supersedes the light forwarder for nearly all purposes and represents the best tool for sending data to indexers.;nn;
[/vtftable]

 

In my next to blogs, I will go through how to setup those forwarder. However, as it will need to go across few different systems, I will recommend to use virtual machine .

You may refer to my previous blogs for instruction of how to install a virtual machine.

How to Create a free Virtual computer for learning purposes?

Leave a Comment