Splunk enterprise Vs Universal forwarder

0
votes

I am very new to splunk. I have installed the enterprise app on an EC2 instance.

I have many queries:

  1. What is the difference between splunk enterprise and universal forwarder?
  2. Difference between its capabilities?
  3. What use case they support?
2
amazon-web-servicessplunk

2 Answers

1
votes

Splunk's components include the Indexer, Search Head, and Universal Forwarder. In a small deployment it's common to install the Indexer and Search Head on one Splunk server, and this is the default install package you downloaded as "Splunk Enterprise".

The Universal Forwarder is the data collection agent. It collects data and "forwards" it to the Splunk server.

If you are running the Splunk server on the same system you want to collect data from, you don't have to use the Universal Forwarder, you can configure the server to collect data.

You can find a good getting started guide here: http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial

0
votes

Splunk has several components such as Search heads, Universal forwarder, Heavy forwarder and indexer.

Universal forwarder ultimately collect the logs from app and forwards to either Heavy forwarder to indexer or directly forward data indexers.