Forwarder comparison
This table summarizes the similarities and differences among the three types of forwarders:
| Features and capabilities | Universal forwarder | Light forwarder | Heavy forwarder |
|---|---|---|---|
| Type of Splunk Enterprise instance | Dedicated executable | Full Splunk Enterprise, with most features disabled | Full Splunk Enterprise, with some features disabled |
| Footprint (memory, CPU load) | Smallest | Small | Medium-to-large (depending on enabled features) |
| Bundles Python? | No | Yes | Yes |
| Handles data inputs? | All types (but scripted inputs might require Python installation) | All types | All types |
| Forwards to Splunk Enterprise? | Yes | Yes | Yes |
| Forwards to 3rd party systems? | Yes | Yes | Yes |
| Serves as intermediate forwarder? | Yes | Yes | Yes |
| Indexer acknowledgment (guaranteed delivery)? | Optional | Optional (version 4.2 and later) | Optional (version 4.2 and later) |
| Load balancing? | Yes | Yes | Yes |
| Data cloning? | Yes | Yes | Yes |
| Per-event filtering? | No | No | Yes |
| Event routing? | No | No | Yes |
| Event parsing? | Sometimes | No | Yes |
| Local indexing? | No | No | Optional, by setting indexAndForward attribute in outputs.conf
|
| Searching/alerting? | No | No | Optional |
| Splunk Web? | No | No | Optional |
For detailed information on specific capabilities, see the rest of this topic, as well as the other forwarding topics in the manual.