![]() ![]() The test file contained 367,463,625 events. ![]() This test was repeated with acknowledgment enabled and then repeated the tests again using a Universal Forwarder as the data source. The table below shows the results of sample tests, sending a dataset from a Heavy Forwarder to an indexer. The following tests were conducted by Splunk: The increase in network traffic is the result of Heavy Forwarder sending parsed/cooked data over the network with all the index time fields, raw event, and related metadata, rather than just a raw event.ĭoing all the parsing and filtering on the indexers when possible, keeps the network IO down, this makes the configuration simpler to manage through the use of Universal Forwarders. In some scenarios this also has been reported to increase the CPU and memory usage, compromising the efficiency gain from a distributed environment. DB connect) can’t be installed on the Universal Forwarder.Īs you must have seen Heavy Forwarders are used rather than Universal Forwarders to filter data before indexing, which seemed to be the most efficient use of resources, but most of the time resulted in increased complexity of the environment, also increased the amount of network IO that the indexers had to handle. Also if you need to do intermediate forwarding, universal forwarder should be the choice. We should keep in mind that Universal Forwarder was designed to collect the data from servers and forward data to other Splunk instances, hence is ideal for collecting files from disk or for use as an intermediate forwarder. When should you use the Universal Forwarder and why? The Universal Forwarder is a lightweight version of Splunk, with limited features. A Splunk Enterprise instance can be configured as a Heavy Forwarder. Splunk provides two different packages/binaries, the full version of Splunk (Splunk Enterprise) and the Universal Forwarder. The common question which keeps rattling in the mind of many Splunkers, when to use Universal Forwarder or the Heavy Forwarder. Whether to use Universal Forwarder or the Heavy Forwarder? ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |