ARCHIVED: About the Splunk universal forwarder

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

The Splunk universal forwarder is a free, dedicated version of Splunk Enterprise that contains only the essential components needed to forward data. TechSelect uses the universal forwarder to gather data from a variety of inputs and forward your machine data to Splunk indexers. The data is then available for searching.

The universal forwarder is designed to run on production servers, having minimal CPU and memory usage and the least impact possible on mission-critical software.

Forwarders communicate with deployment servers, which then send configurations to the client forwarder. These configurations tell the forwarder what data to send to which indexers.

The forwarder sends the data encrypted to the indexers. Once the data is written to the Splunk index, searching can begin immediately; thus, searches are up to date within moments of the event occurrence.

Notes:

Universal forwarders do not have a web or application interface. Once installed, you must make configuration changes at the command line in both Windows and Unix- or Linux-based systems.
Best practices:
- Use the universal forwarder when possible as a data collection method.
- Stop and start the universal forwarder from the command line.
The Splunk license model is to bill by the amount of GB of daily data ingestion.

Benefits

Benefits of using the Splunk universal forwarder:

Data consolidation from all types of inputs
Reduces indexer load on the Data Center side (push vs. pull method)
Improves resiliency by buffering data when needed, sending to available indexers and switching to others when needed (auto load balance)
Administered remotely with the deployment server