- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How can I tell if a heavy forwarder or universal f...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a box that I didn't install that has a forwarder on it, but I'm not certain whether it's a Heavy Forwarder or a Universal Forwarder; I suspect the latter. The way my Splunk PS guy used was to look for the python binary, but he was still a little skeptical when we didn't find it (maybe someone removed it?). Is there a better way to tell the difference between the 2?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, a couple quick ways:
- Size of the Splunk directory (HF is usually ~300 MB)
- HF would have a web interface available (port 8000 by default)
- HF requires a license and should show up on your license master as a slave
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, I know you already have an answer for this, but here is a search we have that shows the splunk forwarder version, if its a "uf" or a full install, and what OS the host is. This can just be run on your search head, assuming the host you want to know about is reporting to your indexer.
index=_internal source=*metrics.log* group=tcpin_connections | regex hostname!="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | eval sos_server=hostname | stats latest(sourceIp) AS IP latest(arch) AS cpu_arch latest(fwdType) AS forwarder_type latest(os) AS os_name latest(version) AS version by sos_server
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, a couple quick ways:
- Size of the Splunk directory (HF is usually ~300 MB)
- HF would have a web interface available (port 8000 by default)
- HF requires a license and should show up on your license master as a slave
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, see https://localhost:8089/services/server/info for the server_roles field, doc'd here: http://docs.splunk.com/Documentation/Splunk/6.6.2/RESTREF/RESTintrospect#server.2Finfo
For quick reference, expect these values:
indexer
universal_forwarder
heavyweight_forwarder
lightweight_forwarder
license_master
license_slave
cluster_master
cluster_slave
cluster_search_head
deployment_server
deployment_client
search_head
search_peer
shc_captain
shc_deployer
shc_member
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A couple of other hints;
- HF is installed in /opt/splunk (Linux) C:\ProgramFiles\Splunk (Win)
- UFC is isntalled in opt/splunkforwarder/ (Linux) or C:\ProgramFiles\SplunkUniversalForwarder (Win)
- Size for v. 6.5.2 - HF =~1.9GB and UFC = ~500MB
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a way to tell the difference using the REST API?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's what I was looking for. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By default a UF should have a rate limit of 256kB/s while a HF does not.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
