1
00:00:02,180 --> 00:00:09,140
The next component is the EV forwarder, as the name suggests, its heavy instance.

2
00:00:09,680 --> 00:00:15,920
It requires its own infrastructure to operate when compared with universal forwarder.

3
00:00:15,950 --> 00:00:21,290
It has additional capabilities of passing on storage of the data.

4
00:00:21,650 --> 00:00:22,220
But.

5
00:00:23,370 --> 00:00:24,480
Henry V for water.

6
00:00:24,510 --> 00:00:31,890
It is highly recommended not to store any data because it will be a duplication since your indexer is

7
00:00:31,890 --> 00:00:38,340
also storing the data and it comes with an added cost of the storage on the heavy forwarder.

8
00:00:39,880 --> 00:00:44,230
Every forward passes the data and sends it to the indexer.

9
00:00:44,920 --> 00:00:46,810
The parsing involves.

10
00:00:47,840 --> 00:00:56,980
Masking of your data filtering out noise from the logs and also IP forwarder will help improve indexer

11
00:00:56,990 --> 00:01:00,230
performance by decreasing the load of parsing.

12
00:01:00,980 --> 00:01:06,470
When we say passing it is the breaking down of events into smaller, manageable pieces.

13
00:01:06,830 --> 00:01:07,430
So.

14
00:01:08,370 --> 00:01:14,640
It will help improve indexer performance by decreasing the load of passing on the indexer.

15
00:01:14,670 --> 00:01:21,780
The every forward is usually optional component and small and medium enterprises.

16
00:01:22,950 --> 00:01:30,510
The need for having a heavy forwarder will be in the hands of Splunk admin or the architect to go for

17
00:01:30,510 --> 00:01:32,220
the heavy forwarder or not.

18
00:01:32,670 --> 00:01:40,020
Having a forward gives you following benefits like masking of the data filtering.

19
00:01:40,850 --> 00:01:45,650
Of the noise and reducing load on the index.

20
00:01:46,730 --> 00:01:54,860
All these can be done using the index, Rachel, but it comes with additional processing cost of the

21
00:01:54,860 --> 00:01:55,400
index.

22
00:01:55,790 --> 00:02:03,850
Always remember if your indexer performance is good, your overall Splunk performance will be good.

23
00:02:03,860 --> 00:02:13,070
So in order to improve performance on the index, we can have heavy forwarder masking filtering to reduce

24
00:02:13,070 --> 00:02:14,450
the passing load on the index.

25
00:02:14,630 --> 00:02:17,210
We can always afford every forwarder.

26
00:02:18,580 --> 00:02:21,040
But it's still an optional component.

27
00:02:21,190 --> 00:02:25,930
It is good to evaluate the option of having heavy forward in any environment.