Share +

Splunk Universal Forwarder   


Lightweight forwarder Deploy

What is Splunk universal forwarder?

The universal forwarder is Splunk's lightweight forwarder. Use it to gather data from a variety of inputs and forward the data to a Splunk Enterprise server for indexing and searching.

The universal forwarder's sole purpose is to forward data. Unlike a full Splunk Enterprise instance, you cannot use the universal forwarder to index or search data. To achieve higher performance and a lighter footprint, it has several limitations:

It has no searching, indexing, or alerting capability.
It does not parse data, except in certain cases.
It does not output data via syslog.
It does not include a bundled version of Python.


This box installs Splunk universal forwarder into the instance deployed using it.


Reliable, Secure Data Collection

Forwarders communicate using TCP sockets, so message delivery is guaranteed. Forwarders can detect a network outage and automatically failover to another target indexer or buffer events locally until the target indexer is available again. Indexers can be configured to provide index-side acknowledgement that data was received. Communication between a forwarder and indexer can be configured to use SSL authentication and encryption.

Centralized Management and Monitoring

Centralized forwarder management simplifies the administration of hundreds or thousands of forwarders in your environment. Forwarder management includes a visual interface to deploy thousands of configurations, monitor the status of rollouts and track down errors. Forwarders can also be remotely managed and configured via the Splunk REST API. The Distributed Management Console provides powerful forwarder monitoring in a visual interface that includes forwarder-indexer mapping.

Additional Capabilities

  • Rapidly deploy forwarders with an existing deployment solution, such as SCCM, Chef or Puppet
  • Forwarders support virtually any machine data format and run on most modern operating systems
  • No database schemas, parsers or connectors to design, deploy or purchase
  • Forwarders can load balance data between multiple indexers, route data in raw format to integrate with third-party systems, clone data to allow for high availability and conditionally route data to different locations to support multi-tenant environments.


Variable Description Default Value
indexer Port on which the Splunk universal forwarder will listen 9997
management Http port on which the Splunk universal forwarder will listen 8089
INSTALLER Splunk universal forwarder's package url for download its installer i.e.
PASSWORD Password of the user to manage the universal forwarder elasticbox
PATH_TO_MONITOR Path to logs folder to be monitored by Splunk universal forwarder i.e. /var/log/syslog
SOURCE_TYPE Name to associate with the type of data i.e. SYSLOG
RECEIVER Splunk Enterprise server's hostname or ip address to forward data i.e. - not needed if receivers binding is provided
receivers Splunk Enterprise server's binding to the instance to forward data i.e. splunk-server - not needed if RECEIVER value (hostname or ip) is provided

Deployment behavior

An instance executing this box will use bash scripting to download, install and configure a Splunk universal forwarder.

Box events handle the Splunk uf instance lifecycle as follows:

Install operation:

pre_install event script: downloads and installs the correct release of Splunk uf in the instance.

Configure operation:

configure event script: sets the new password, enables Splunk uf to start after boot, configures Splunk uf to listen to indexer port variable,
adds all matched instances returned by receivers binding as forwarder servers or the RECEIVER hostname or ip address if provided, list the forwarder servers,
and finally adds a monitor to PATH_TO_MONITOR location of the desired SOURCE_TYPE.

Start operation:

pre_start event script: restarts Splunk uf service.

Stop operation:

pre_stop event script: stops Splunk uf service.
Supported distributions

This deployment supports these Linux distributions:

  • Ubuntu 14.04

  • Red Hat Enterprise Linux on Amazon EC2

You Agree to the Provider Terms of Service Associated with this Software.
Not a customer? Register now.

Other Products by CAM




Multi-Cloud , Open Source

deployment models

not specified

operating systems

  • RedHat Enterprise Linux 7
  • Ubuntu 14