Splunk Universal Forwarder is a lightweight agent designed to collect and securely forward machine data such as logs, metrics, and application events from endpoints to Splunk Enterprise for indexing and analysis. It runs as a background service with minimal resource consumption and supports features like SSL encryption, load balancing, and centralized configuration via a Deployment Server. In a Splunk Enterprise environment, the forwarder acts as the data collection layer, streaming raw data from distributed systems to indexers, where it is parsed, stored, and made searchable for dashboards, alerts, and analytics. This architecture ensures scalable, real-time visibility across IT and security infrastructures without impacting endpoint performance.
