Forwarders & Deployment • Room 1

Universal vs Heavy Forwarders

Universal Forwarders (UF) are lightweight agents that collect and forward raw data. They do NOT parse data. Heavy Forwarders (HF) are full Splunk instances that parse, filter, and route data before forwarding.

Use UFs for simple log collection. Use HFs when you need to mask sensitive data (like credit card numbers) or route specific events to different indexes before they reach the indexers.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

Drag items to their correct zone (or tap item then tap zone on mobile)

Lightweight, no parsing, minimal resource usage

Full parsing, can mask/filter/route data

Defines where forwarder sends data

Load balances across multiple indexers

Universal Forwarder

Heavy Forwarder

outputs.conf

autoLBFrequency