How To Splunk: Migrating a Universal Forwarder to a Heavy Forwarder

In this screencast, Jeremy walks you through a “How-To” for turning a Universal Forwarder into a Heavy Forwarder in Splunk. Performing this upgrade can be beneficial to your organization for a variety of reasons.



In this screencast, one of Hurricane Labs’ Splunk Administrators and Security Operations Analysts, Jeremy Nenadal walks you through a “How-To” for turning a Universal Forwarder into a Heavy Forwarder in Splunk. Performing this upgrade can be beneficial to your organization for a variety of reasons.

You may want to perform this migration because:

  • A universal forwarder may not be able to fulfill the needs of your growing organization
  • A software you’re installing may require a heavy forwarder with the additional features a universal forwarder lacks

Watch the screencast tutorial below for the full details of how to perform this upgrade.

This simple step-by-step process involves:

  • stop the universal forwarder
  • install new forwarder software
  • (if running Windows) stop that forwarder from running
  • copy over needed files
  • start new forwarder back up again

The reason for this particular process, is to prevent re-indexing of files. If you uninstall and then reinstall the new version you will end up re-indexing files, which you don’t want to do.




Close off Canvas Menu