Getting Data In

How can I tell if a heavy forwarder or universal forwarder was installed on a box?

proletariat99
Communicator

I have a box that I didn't install that has a forwarder on it, but I'm not certain whether it's a Heavy Forwarder or a Universal Forwarder; I suspect the latter. The way my Splunk PS guy used was to look for the python binary, but he was still a little skeptical when we didn't find it (maybe someone removed it?). Is there a better way to tell the difference between the 2?

1 Solution

masonmorales
Influencer

Yes, a couple quick ways:

  • Size of the Splunk directory (HF is usually ~300 MB)
  • HF would have a web interface available (port 8000 by default)
  • HF requires a license and should show up on your license master as a slave

View solution in original post

JDukeSplunk
Builder

So, I know you already have an answer for this, but here is a search we have that shows the splunk forwarder version, if its a "uf" or a full install, and what OS the host is. This can just be run on your search head, assuming the host you want to know about is reporting to your indexer.

index=_internal source=*metrics.log* group=tcpin_connections | regex hostname!="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | eval sos_server=hostname | stats latest(sourceIp) AS IP latest(arch) AS cpu_arch latest(fwdType) AS forwarder_type latest(os) AS os_name latest(version) AS version  by sos_server

masonmorales
Influencer

Yes, a couple quick ways:

  • Size of the Splunk directory (HF is usually ~300 MB)
  • HF would have a web interface available (port 8000 by default)
  • HF requires a license and should show up on your license master as a slave

martin_mueller
SplunkTrust
SplunkTrust

Yes, see https://localhost:8089/services/server/info for the server_roles field, doc'd here: http://docs.splunk.com/Documentation/Splunk/6.6.2/RESTREF/RESTintrospect#server.2Finfo

For quick reference, expect these values:

indexer
universal_forwarder
heavyweight_forwarder
lightweight_forwarder
license_master
license_slave
cluster_master
cluster_slave
cluster_search_head
deployment_server
deployment_client
search_head
search_peer
shc_captain
shc_deployer
shc_member
0 Karma

gekoner
Communicator

A couple of other hints;
- HF is installed in /opt/splunk (Linux) C:\ProgramFiles\Splunk (Win)
- UFC is isntalled in opt/splunkforwarder/ (Linux) or C:\ProgramFiles\SplunkUniversalForwarder (Win)
- Size for v. 6.5.2 - HF =~1.9GB and UFC = ~500MB

john_petrucci
Explorer

Is there a way to tell the difference using the REST API?

0 Karma

proletariat99
Communicator

That's what I was looking for. Thanks!

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

By default a UF should have a rate limit of 256kB/s while a HF does not.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...