A Universal Forwarder (UF) is a lightweight agent designed for minimal resource usage. It reads raw data from a source and forwards it as an unparsed stream to the indexer. It attaches a single set of metadata (e.g., host, source, sourcetype) to the entire data stream or chunk. The indexer is then responsible for the parsing pipeline, which includes event breaking and timestamp extraction.

Conversely, a Heavy Forwarder (HF) is a full Splunk Enterprise instance. It performs the entire parsing pipeline locally before forwarding. It breaks the raw data into individual events, extracts timestamps, and can apply transforms. Consequently, it sends fully "cooked" individual events to the indexer, with each event carrying its own set of metadata. This per-event metadata overhead results in a larger total payload size compared to the UF's stream-based approach.

A: The payload format is fundamentally different (raw stream vs. parsed events), and the HF payload is larger due to per-event metadata, so they are not the same.

C: A Universal Forwarder never performs event breaking. This function is exclusively handled by the parsing pipeline on an indexer or a Heavy Forwarder.

D: This option incorrectly reverses the roles. The UF sends the raw stream with a single metadata set, while the HF sends individual, parsed events.

1. Splunk Enterprise Documentation, Forwarding Data Manual, "Types of forwarders": This section explicitly contrasts the forwarder types. It states, "A universal forwarder is a dedicated, streamlined version of Splunk Enterprise that contains only the essential components needed to forward data... It performs minimal processing on the data... It does not parse the data before forwarding it." For the heavy forwarder, it states, "A heavy forwarder is a full Splunk Enterprise instance... A heavy forwarder parses data before forwarding it." This confirms that the HF sends parsed, individual events while the UF sends an unparsed stream.

2. Splunk Enterprise Documentation, Getting Data In Manual, "The data pipeline": This document describes the stages of data processing. The "Parsing" phase, which breaks the data stream into individual events, occurs on the indexer for data received from a Universal Forwarder. For a Heavy Forwarder, this parsing occurs on the forwarder itself before the data is sent to the "Indexing" pipeline on the indexer. This architectural difference dictates the payload format described in the correct answer.

3. Splunk Enterprise Documentation, Forwarding Data Manual, "How forwarding works": This section details the underlying mechanism. Data from a Universal Forwarder is sent to the receivers/stream endpoint on an indexer, indicating a raw, unparsed stream. Data from a Heavy Forwarder is sent to the receivers/cooked endpoint, signifying that the data has already been processed (parsed) into individual events. This technical distinction directly supports the difference in payload structure.