LSI Learn Splunk India Splunk blog

Splunk blog · Platform

Splunk Data Ingestion Guide: Forwarders, HTTP Event Collector & Best Practices (2026)

Data ingestion is the foundation of every Splunk deployment. Without reliable, efficient data collection, even the best SPL queries and dashboards are useless. This guide explains how Splunk ingests data, the types of forwarders available, and proven strategies to optimize volume while maintaining visibility.

Updated June 2026 · ~7 min read

How Splunk Data Ingestion Works

Splunk follows a three-stage pipeline:

  1. Input: Data is collected from files, network ports, APIs, or scripts.
  2. Parsing: Data is broken into events, timestamps are extracted, and fields are identified.
  3. Indexing: Events are written to compressed indexes on disk and made searchable.

The component responsible for input is called a forwarder. Splunk offers two types.

Universal Forwarder (UF)

The Universal Forwarder is a lightweight, purpose-built agent installed on endpoints, servers, and devices. It does not parse data; it simply monitors files and network ports and forwards raw data to Splunk indexers or Heavy Forwarders.

Key characteristics:

  • Minimal resource footprint (~50 MB RAM, low CPU)
  • No built-in search or parsing capabilities
  • Monitors files, Windows Event Logs, and scripted inputs
  • Uses the Splunk-to-Splunk protocol for secure transmission

Best for: Windows/Linux servers, workstations, cloud instances, and IoT devices.

Heavy Forwarder (HF)

The Heavy Forwarder is a full Splunk instance configured to forward data. Unlike the UF, it can parse, filter, and route data before sending it to indexers.

Key capabilities:

  • Filtering: Drop unwanted events before indexing to reduce license consumption.
  • Routing: Send data to different indexers or Splunk Cloud based on source or content.
  • Parsing: Apply index-time field extractions and transformations.
  • Aggregation: Collect data from multiple UFs and batch it efficiently.

Best for: Data consolidation points, syslog aggregation, and environments requiring complex routing.

HTTP Event Collector (HEC)

The HTTP Event Collector is a token-based REST API that allows applications to send data directly to Splunk over HTTPS. It is ideal for modern, cloud-native architectures.

Use cases:

  • Application logs from microservices (Node.js, Python, Go)
  • Cloud platform events (AWS Lambda, Azure Functions)
  • CI/CD pipeline events (GitHub Actions, Jenkins)
  • Container logs (Kubernetes, Docker)

Example curl request:

curl -k https://splunk-hec:8088/services/collector/event \
  -H "Authorization: Splunk <token>" \
  -d '{"event": "Hello from my app", "sourcetype": "myapp", "index": "main"}'

Syslog Ingestion

Many network devices (firewalls, routers, switches) send data via syslog. Splunk supports syslog ingestion through:

  • Syslog server + Heavy Forwarder: A standard approach for aggregating network logs.
  • Splunk Connect for Syslog (SC4S): A modern, containerized syslog collector that normalizes syslog data before forwarding to Splunk. It is faster and more scalable than traditional syslog-ng/rsyslog setups.

Data Ingestion Best Practices

1. Filter at the Source

Use inputs.conf on Heavy Forwarders or props.conf with TRANSFORMS-null to drop unnecessary events before indexing. Every GB you filter is a GB you do not pay for.

2. Use the Correct Time Zone

Timestamp parsing errors cause data to be misindexed. Always configure TZ in props.conf for multi-timezone environments.

3. Monitor Forwarder Health

Deploy the Splunk Forwarder Monitoring app to track connection status, data lag, and license usage by source.

4. Enable Compression

Splunk compresses data by default, but network transmission between forwarders and indexers can also be compressed. Enable useACK and compressed in outputs.conf for WAN links.

5. Right-Size Your Indexers

Each indexer can handle roughly 100–300 GB/day of ingestion depending on hardware. Plan cluster capacity based on peak daily volume plus 30% headroom.

6. Use Index-Time Field Extraction Sparingly

Index-time extractions (e.g., INDEXED_EXTRACTIONS) speed up search but increase indexing load. Use search-time extractions (FIELDALIAS, EXTRACT) unless performance demands otherwise.

FAQ

Frequently asked questions

What is a Splunk Universal Forwarder?

A Universal Forwarder is a lightweight agent that collects data from endpoints and forwards it to Splunk indexers without parsing or filtering. It is the standard way to collect server and workstation logs.

What is the difference between a Universal Forwarder and a Heavy Forwarder?

A Universal Forwarder only collects and forwards raw data. A Heavy Forwarder can parse, filter, route, and transform data before indexing. HFs use more resources but offer more control.

What is HEC in Splunk?

HEC (HTTP Event Collector) is a REST API endpoint that allows applications to send JSON events directly to Splunk over HTTPS. It is commonly used for cloud-native and microservices logging.

How do I reduce Splunk data ingestion costs?

Filter unnecessary events at the forwarder, use data sampling for high-volume sources, route cold data to cheaper storage, and leverage Splunk workload pricing for predictable workloads.

Can Splunk ingest data from cloud platforms?

Yes. Splunk provides add-ons for AWS, Azure, and GCP that collect CloudTrail, CloudWatch, Azure Monitor, and GCP Audit Logs via API polling or event streaming.

Conclusion

Effective Splunk data ingestion is about balancing visibility with cost. Using the right forwarder type, filtering early, and following indexing best practices ensures your Splunk deployment delivers maximum insight without breaking your license budget. For high-volume environments, a combination of Universal Forwarders, Heavy Forwarders, and HEC provides the flexibility needed for modern hybrid infrastructure.