Splunk Enterprise Certified Architect — Question 31

When would a Heavy Forwarder be needed instead of a Universal Forwarder?

Answer options

• A. To use Splunk TCP to forward event data.
• B. To route event data to an indexer cluster.
• C. To mask event data from Linux inputs prior to forwarding to indexers.
• D. To change event host names based on the folder structure where the input is found.

Correct answer: C

Explanation

A Heavy Forwarder is used to process and mask event data, which is necessary in this scenario to ensure sensitive information is not forwarded to indexers. The other options do not require the additional processing capabilities of a Heavy Forwarder, as a Universal Forwarder can handle TCP forwarding, routing to indexers, and changing host names without needing the same level of data handling.