The Data Pipeline • Room 2

Forwarders: Universal vs. Heavy

Universal Forwarders (UF) are lightweight agents that collect and forward data. They use minimal resources and can't parse or index data locally.

Heavy Forwarders (HF) are full Splunk instances that can parse, filter, and route data before forwarding. Use them when you need pre-processing at the source.

Forwarders connect to indexers using outputs.conf. Load balancing across multiple indexers is configured with autoLB settings.

outputs.conf to indexers

[tcpout]
defaultGroup = my_indexers

[tcpout:my_indexers]
server = idx1:9997, idx2:9997, idx3:9997
autoLB = true

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

❤️❤️❤️

Question 1 of 2

Which forwarder type can parse and filter data?

AUniversal Forwarder

BHeavy Forwarder

CLight Forwarder

DMicro Forwarder