Intermediate forwarders are forwarders that receive data from other forwarders and then send that

data to indexers. They can be useful in some scenarios, such as when network bandwidth or security

constraints prevent direct forwarding to indexers, or when data needs to be routed, cloned, or

modified in transit. However, intermediate forwarders also introduce additional complexity and

overhead to the data pipeline, which can affect the performance and reliability of data ingestion.

Therefore, intermediate forwarders should be avoided when possible, and used only when there is a

clear benefit or requirement for them. Some of the drawbacks of intermediate forwarders are:

They increase the number of hops and connections in the data flow, which can introduce latency and

increase the risk of data loss or corruption.

They consume more resources on the hosts where they run, such as CPU, memory, disk, and network

bandwidth, which can affect the performance of other applications or processes on those hosts.

They require additional configuration and maintenance, such as setting up inputs, outputs, load

balancing, security, monitoring, and troubleshooting.

They can create data duplication or inconsistency if they are not configured properly, such as when

using cloning or routing rules.

Some of the

that support this answer are:

Configure an intermediate forwarder, which states: “Intermediate forwarding is where a forwarder

receives data from one or more forwarders and then sends that data on to another indexer. This kind

of setup is useful when, for example, you have many hosts in different geographical regions and you

want to send data from those forwarders to a central host in that region before forwarding the data

to an indexer. All forwarder types can act as an intermediate forwarder. However, this adds

complexity to your deployment and can affect performance, so use it only when necessary.”

Intermediate data routing using universal and heavy forwarders, which states: “This document

outlines a variety of Splunk options for routing data that address both technical and business

requirements. Overall benefits Using splunkd intermediate data routing offers the following overall

benefits: … The routing strategies described in this document enable flexibility for reliably processing

data at scale. Intermediate routing enables better security in event-level data as well as in transit.

The following is a list of use cases and enablers for splunkd intermediate data routing: … Limitations

splunkd intermediate data routing has the following limitations: … Increased complexity and

resource consumption. splunkd intermediate data routing adds complexity to the data pipeline and

consumes resources on the hosts where it runs. This can affect the performance and reliability of

data ingestion and other applications or processes on those hosts. Therefore, intermediate routing

should be avoided when possible, and used only when there is a clear benefit or requirement for it.”

Use forwarders to get data into Splunk Enterprise, which states: “The forwarders take the Apache

data and send it to your Splunk Enterprise deployment for indexing, which consolidates, stores, and

makes the data available for searching. Because of their reduced resource footprint, forwarders have

a minimal performance impact on the Apache servers. … Note: You can also configure a forwarder to

send data to another forwarder, which then sends the data to the indexer. This is called intermediate

forwarding. However, this adds complexity to your deployment and can affect performance, so use it

only when necessary.”