While the universal forwarder is the preferred way to forward data, you might need to use heavy or light forwarders if you need to analyze or make changes to the data before you forward it, or you need to control where the data goes based on its contents. Unlike the universal forwarder, both heavy and light forwarders are full Splunk Enterprise instances with certain features turned off. Heavy and light forwarders differ in capability and the corresponding size of their resource footprints.

A heavy forwarder (sometimes referred to as a "regular forwarder") has a smaller footprint than an indexer but retains most of the capability, except that it cannot perform distributed searches. Some of its default functionality, such as Splunk Web, can be turned off, if necessary, to reduce the size of its footprint. A heavy forwarder parses data before forwarding it and can route data based on criteria such as source or type of event.

One key advantage of the heavy forwarder is that it can index data locally, as well as forward data to another Splunk instance. You must activate this feature. See Configure forwarders with outputs.conf in this manual for details.

A light forwarder has a smaller footprint with much more limited functionality. It forwards only unparsed data. The universal forwarder, which provides very similar functionality, supersedes it. The light forwarder has been deprecated but continues to be available mainly to meet legacy needs.

When you install a universal forwarder, you can migrate checkpoint settings from any (version 4.0 or greater) light forwarder that resides on the same host.

For detailed information on the capabilities of heavy and light forwarders, see Heavy and light forwarder capabilities in this manual.