Heavy and light forwarders differ in capability and the corresponding size of their resource footprints.Ī heavy forwarder (sometimes referred to as a "regular forwarder") has a smaller footprint than an indexer but retains most of the capability, except that it cannot perform distributed searches. Unlike the universal forwarder, both heavy and light forwarders are full Splunk Enterprise instances with certain features disabled. While the universal forwarder is the preferred way to forward data, you might need to use heavy or light forwarders if you need to analyze or make changes to the data before you forward it, or you need to control where the data goes based on its contents. To learn how to download, install, and deploy a universal forwarder, see Install the universal forwarder in the Universal Forwarder manual. Learn more about the universal forwarder in the Universal Forwarder manual. Unlike the heavy and light forwarders, you do not enable it from a full Splunk Enterprise instance. The universal forwarder is a separately downloadable piece of software. It can also forward data to another forwarder as an intermediate step before sending the data onward to an indexer. The universal forwarder can get data from a variety of inputs and forward the data to a Splunk deployment for indexing and searching. Unlike full Splunk Enterprise, the universal forwarder does not include a bundled version of Python.See the Forwarder Comparisons table later in this topic for details. You cannot use it to route data to different Splunk indexers based on its contents. The universal forwarder does not parse data except in certain limited situations.The universal forwarder cannot search, index, or produce alerts with data.To achieve higher performance and a lighter footprint, it has several limitations: Unlike a full Splunk instance, you cannot use the universal forwarder to index or search data. The sole purpose of the universal forwarder is to forward data. The universal forwarder supersedes the light forwarder for nearly all purposes and represents the best tool for sending data to indexers. The light forwarder has been deprecated as of Splunk Enterprise version 6.0. A light forwarder is also a full Splunk Enterprise instance, with more features disabled to achieve as small a resource footprint as possible.The heavy forwarder has some features disabled to reduce system resource usage. A heavy forwarder is a full Splunk Enterprise instance that can index, search, and change data as well as forward it.The universal forwarder contains only the components that are necessary to forward data.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |