Automatically Send Data for Indexing

Forwarders provide reliable, secure data collection from
 various sources and deliver the data to Splunk Enterprise or Splunk Cloud for indexing and analysis. There are several types of forwarders, but the most common is the universal forwarder, a small footprint agent, installed directly on an endpoint. Forwarders automatically send file-based data of any sort to the Splunk indexer. In most cases these are log events of some sort, but the files can contain any data in any format.

Universal forwarders are centrally managed, require no configuration and are transparent to endpoint operations. Large Splunk customers deploy thousands of universal forwarders to gather data from servers, applications, employee endpoints and any Windows or Unix-based system regardless of location.

Universal forwarders:

  • Forward data from remote systems securely in real time
  • Have minimal resource overhead and impact on endpoint performance
  • Support thousands of machine data formats
  • Provide many features such as SSL, compression and buffering