https://community.splunk.com/t5/Getting-Data-In/Without-have-access-to-the-universal-forwarder-can-I-check/m-p/408254#M72383 <P>Thanks for your answer, I was not sure yesterday whether deployment server can manage the data as well or just apps, did some more research and found my answer.</P> <P>Thanks for your support.<BR /> Regards<BR /> Rohit</P> Fri, 05 Oct 2018 00:06:20 GMT Sharmarohit1234 2018-10-05T00:06:20Z https://community.splunk.com/t5/Getting-Data-In/Without-have-access-to-the-universal-forwarder-can-I-check/m-p/408251#M72380 <P>Hi All,</P> <P>I am relatively new to Splunk, In my environment we are using deployment server to manage the deployment apps on universal forwarders.</P> <P>During the installation of universal forwarders, we specify the deployment server in deployment.conf.</P> <P>But we have not mentioned anything about forwarding the data to the heavy forwarder (HF).</P> <P>On the web interface of our heavy forwarders, under forwarding and receiving, I cannot see any configuration set up.</P> <P>How can I check whether universal forwarders are sending data to HF? Are indexers or data getting managed by the deployment server?</P> <P>I don't have access to the universal forwarders as these are managed by some different team.</P> <P>So I have to check the configuration within the HF, Indexer or deployment servers.</P> <P>Regards<BR /> Rohit</P> Thu, 04 Oct 2018 04:42:47 GMT https://community.splunk.com/t5/Getting-Data-In/Without-have-access-to-the-universal-forwarder-can-I-check/m-p/408251#M72380 Sharmarohit1234 2018-10-04T04:42:47Z https://community.splunk.com/t5/Getting-Data-In/Without-have-access-to-the-universal-forwarder-can-I-check/m-p/408252#M72381 <P>You need to open up that port for sending data into your Deployment server. <BR /> If you have any FW on your env, you need to probably open that up too</P> Thu, 04 Oct 2018 05:42:38 GMT https://community.splunk.com/t5/Getting-Data-In/Without-have-access-to-the-universal-forwarder-can-I-check/m-p/408252#M72381 iamarkaprabha 2018-10-04T05:42:38Z https://community.splunk.com/t5/Getting-Data-In/Without-have-access-to-the-universal-forwarder-can-I-check/m-p/408253#M72382 <P>Hi @Sharmarohit1234,</P> <P>You can use below query to check which servers (Universal Forwarders, Heavy Forwarders, Search Heads OR any other Splunk servers) are sending data to Indexers.</P> <PRE><CODE>index=_internal host=INDEXER_SERVERNAME source=*metrics.log* group=tcpin_connections | dedup hostname | table _time hostname os arch version sourceIp destPort fwdType ssl </CODE></PRE> <P>In above query if you change <CODE>INDEXER_SERVERNAME</CODE> with <CODE>HeavyForwarder_SERVERNAME</CODE> you will able to figure out if any universal forwarders are sending data to Heavy Forwarder or not.</P> <P>I didn't get your question <CODE>Data is getting managed by Deployment server?</CODE>, Deployment server will deploy configuration to UF, Heavy Forwarders etc. but it will not manage any data.</P> Thu, 04 Oct 2018 09:59:03 GMT https://community.splunk.com/t5/Getting-Data-In/Without-have-access-to-the-universal-forwarder-can-I-check/m-p/408253#M72382 harsmarvania57 2018-10-04T09:59:03Z https://community.splunk.com/t5/Getting-Data-In/Without-have-access-to-the-universal-forwarder-can-I-check/m-p/408254#M72383 <P>Thanks for your answer, I was not sure yesterday whether deployment server can manage the data as well or just apps, did some more research and found my answer.</P> <P>Thanks for your support.<BR /> Regards<BR /> Rohit</P> Fri, 05 Oct 2018 00:06:20 GMT https://community.splunk.com/t5/Getting-Data-In/Without-have-access-to-the-universal-forwarder-can-I-check/m-p/408254#M72383 Sharmarohit1234 2018-10-05T00:06:20Z