The sole purpose of the universal forwarder is to forward data. Unlike a full Splunk instance, you cannot use the universal forwarder to index or search data. To achieve higher performance and a lighter footprint, it has several limitations:

• The universal forwarder cannot search, index, or produce alerts with data.
• The universal forwarder does not parse data except in certain limited situations. You cannot use it to route data to different Splunk indexers based on its contents. See the Forwarder Comparisons table later in this topic for details.
• Unlike full Splunk Enterprise, the universal forwarder does not include a bundled version of Python.

The universal forwarder can get data from a variety of inputs and forward the data to a Splunk deployment for indexing and searching. It can also forward data to another forwarder as an intermediate step before sending the data onward to an indexer.

The universal forwarder is a separately downloadable piece of software. Unlike the heavy and light forwarders, you do not enable it from a full Splunk Enterprise instance.

To learn how to download, install, and deploy a universal forwarder, see Deploy the universal forwarder in the Universal Forwarder manual.