Solved: Why do we require splunk forwarder as we can have ...

rashokciet · ‎04-06-2015

In all our servers splunk 6.1.5 has been installed and splunkd service is capturing all the required data.So what is the use of splunk forwarder ??Is there any benefit having splunk forwarder rather than running splunkd and where do we use it???

jeffland · ‎04-07-2015

A "splunkd" running somewhere that sends its data to another machine essentially is a fowarder; a forwarder is not something "extra": http://docs.splunk.com/Splexicon:Forwarder

Comparing the different variants of a forwarder, the benefit of a heavy forwarder as opposed to a light/universal forwarder is that it can filter your data on event level before it hits your index, so it can save you some indexing volume (and network bandwith/processing power on the indexer).

You could also make use of intermediate forwarders: http://docs.splunk.com/Documentation/Splunk/6.2.2/Forwarding/Forwarderdeploymenttopologies#Intermedi...

View solution in original post

mikelanghorst · ‎04-07-2015

"Splunk Forwarder" is typically referring to the lighter weight install of the Splunk Universal Forwarder or UF. It has a smaller disk footprint with some functionality stripped out, and smaller memory usage. Typically if you're only reading files or running scripted inputs, such as Splunk_TA_nix, the UF is all that's needed. However as jeffland mentions there are some occasions that the full install or heavy forwarder is desired. Being able to filter unneeded data before hitting the wire, or acting as a collection node between data centers being 2 of those reasons.

rashokciet · ‎04-07-2015

Splunkd can handle search request and splunk forwarder cannot handle search request - Is that correct??
The searching is done by splunk web so both should handle search request ??? I am confused.

Your help was and will be appreciated.

jeffland · ‎04-07-2015

That's kinda in the right direction. I would encourage you to learn about splunk architecture to understand the different system parts and how they work together: http://www.splunk.com/view/SP-CAAABF9 and http://docs.splunk.com/Documentation/Splunk/6.2.2/Deploy/Distributedoverview

jeffland · ‎04-07-2015

A "splunkd" running somewhere that sends its data to another machine essentially is a fowarder; a forwarder is not something "extra": http://docs.splunk.com/Splexicon:Forwarder

Comparing the different variants of a forwarder, the benefit of a heavy forwarder as opposed to a light/universal forwarder is that it can filter your data on event level before it hits your index, so it can save you some indexing volume (and network bandwith/processing power on the indexer).

You could also make use of intermediate forwarders: http://docs.splunk.com/Documentation/Splunk/6.2.2/Forwarding/Forwarderdeploymenttopologies#Intermedi...

rashokciet · ‎04-07-2015

Thanks jeffland

gyslainlatsa · ‎04-07-2015

hi rashokciet,

i don't know if this resolve your problem but i know that:
splunk operates together with the splunkd server and splunkweb interface. the server works in the background while the interface allows us to visualize the data.
splunk forwarder is important in a distributed environment, in this environment we need to send data from our machine to other machines. splunk forwrder is very important in case you frequently send the output data.

please forgive my english

rashokciet · ‎04-07-2015

Thanks gyslainlatsa

Why do we require splunk forwarder as we can have splunk installed and splunkd service can capture everything ???

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!