We should use heavy forwarder for sending event-based data to Indexers.
We should use heavy forwarder for sending event-based data to Indexers.
To send event-based data to indexers, a heavy forwarder is more appropriate because it can parse and route data based on event contents. Universal forwarders are generally used for forwarding unparsed data, making the heavy forwarder the correct choice for handling event-based data.
https://docs.splunk.com/Splexicon:Heavyforwarder, "In most situations, the universal forwarder is the best way to forward data to indexers. Its main limitation is that it forwards only unparsed data, except in certain cases, such as structured data. You must use a heavy forwarder to route data based on event contents. "
I was also thinking that Universal was the answer but now I think this answers the question directly. The universal forwarder is the best tool for forwarding data to indexers. Its main limitation is that it forwards only unparsed data. To send event-based data to indexers, you must use a heavy forwarder. https://docs.splunk.com/Splexicon:Forwarder
https://docs.splunk.com/Splexicon:Heavyforwarder
B correct
should we? we might use UF as well - answer is A, false