-- Heavy Forwarder (HF)
The through put is 4 times of the input stream, hence loads the indexer processes. Heavy forwarder are useful if you want to filter out unwanted data ( > 25% of the input data), hence you save the cost for the less indexing volume. Use Splunk Enterprise for HF configuration. HF can index the data (not preferable since it downgrade the performance) and forward to Indexer. To process Real time events, indexer must be disabled for real time processing.
--- Light Weight and Universal forwarder
Both are same. The number of processes running and through put is same. The only difference is UF doesn't come with Python package. So if you want to collect the data from python script in UF and forward to Indexer, then you have manually install the python. There is separate installer for UF where is LF can use the splunk enterprise installer by enabling the LF option. LF and UF doesn't index the data andt extracting few parameters from input stream such as host, source & sourcetype.
Small note: In upcoming splunk release (mostly by 6.0.3 or next one), Heavy Forwarder throughput will be optimized and after that LF will not be supported officially.
If you like the answer, please vote.
Regards,
Jayanna Hallur,
Wipro Technologies, Mountain View, California.
... View more