What are forwarders?

The most efficient way to gather data from any remote machine is to install universal forwarders on the remote hosts. A universal forwarder is a dedicated, lightweight version of Splunk that contains only the essential components needed to send data. It is similar to the Splunk server and it has many similar features, but it does not contain Splunk web and doesn’t come bundled with the Python executable and libraries.

Forwarders are configured to consume data and forward it on to Splunk indexers for processing. They can handle exactly the same types of data and can consume the data in the same way as any Splunk instance, with one difference: they do not index the data themselves. Instead, they input the data and refer it to a Splunk indexer, which then does the indexing and searching.

In a typical Splunk deployment, forwarders serve as the primary consumers of data. For example, if you have a number of web servers generating data that you want to be able to search centrally, you can install a Splunk indexer and then install forwarders on all web servers. The forwarders can then be configured to send the logs to the indexer, which will store them and make them available for searching.

Forwarders are typically configured by editing the inputs.conf file.
Geek University 2022