Internal

• Splunk

Event

Segment

Field

Forwarding Agent

A forwarding agent is a Splunk instance that forwards data to another Splunk instance (an indexer or another forwarder) or to a third-party system. The forwarding agent is a minimalistic service that forwards information as close to real time as possible.

There are three types of forwarders:

• A universal forwarder is a streamlined, dedicated version of Splunk that contains only the essential components needed to forward data.
• A heavy forwarder is a full Splunk instance, with some features disabled to achieve a smaller footprint.
• A light forwarder is also a full Splunk instance, with most features disabled to achieve as small a footprint as possible. The universal forwarder, with its even smaller footprint yet similar functionality, supersedes the light forwarder for nearly all purposes.

In most respects, the universal forwarder represents the best tool for forwarding data to indexers. Its main limitation is that it forwards only unparsed data. Therefore, you cannot use it to route data based on event contents. For that, you must use a heavy forwarder.