difference between heavy forwarder and universal f...

sonusngh68 · ‎03-13-2018

Can somebody briefly explain difference between Universal Forwarder and Heavy Forwarder?

Also is it possible that we can use Heavy Forwarder to forward, parse and index data without Indexer?

deepashri_123 · ‎03-13-2018

Heu sonushgh68,

You can refer this doc and also this accepted answer in splunk for your reference:
http://docs.splunk.com/Documentation/SplunkCloud/7.0.0/Forwarding/Typesofforwarders
https://answers.splunk.com/answers/317035/indexer-and-heavy-forwarder-in-once.html

Let me know if this helps!!

tiagofbmm · ‎03-13-2018

Hi

A Universal Forwarder has no capability to parse data some metadata stamping on the events.

A Heavy Forwarder is a full Splunk Instance with all the capabilities of Splunk Enterprise. You can simultaneously use a Heavy Forwarder to send data (just like a Universal Forwarder does) and also parse and Index data.

Note one thing: when data goes through the parsing pipeline in a Heavy Forwarder, either it is indexed or it is sent already processed. On the contrary, data coming out of a Universal Forwarder goes in blocks, meaning it hasn't been "cooked" (line breaking, line merging, truncating etc).

tiagofbmm · ‎03-21-2018

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

SamHTexas · ‎01-11-2022

Hello sir, do you by any chance know how to set up Alerts for a few Heavy Forwarders we have to notify us when the rate of output / sending data decreases below a certain level like 15% of the daily total? Thank u in advance.

difference between heavy forwarder and universal forwarder

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk