What is the difference between a universal and a heavy forwarder? [Intermediate]
Answer
A Universal Forwarder is lightweight and mainly forwards data with minimal parsing. A Heavy Forwarder is a full Splunk instance that can parse, filter, route, and transform data before sending it onward.
Technical explanation
Universal Forwarders are preferred for most endpoint log collection because they are efficient and easy to operate.
Heavy Forwarders are used when data must be parsed, masked, routed, or enriched before indexing.
Heavy Forwarders require more CPU, memory, maintenance, and configuration governance.
Hands-on example
Example: install Universal Forwarders on application servers to send JSON logs. Use a Heavy Forwarder at the network boundary to mask sensitive fields, drop debug events, and route security logs to index=security and application logs to index=prod_app.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Observability interview questions
- What is observability, and how is it different from traditional monitoring? [Basic]
- What are the three pillars of observability (metrics, logs, traces)? [Basic]
- What is the difference between monitoring and observability in practice? [Basic]
- What are the four golden signals of monitoring? [Basic]
- What is the difference between the USE method and the RED method? [Basic]
- When would you use the USE method versus the RED method? [Basic]
- What is an SLI, an SLO, and an SLA, and how do they relate? [Basic]
- How do you choose good SLIs for a service? [Basic]