Solved: How to identify Lightweight Forwarders vs Universa...

Jason · ‎06-07-2011

I'm dealing with an environment of mixed Lightweight Forwarders and Universal Forwarders. How can I tell, without logging into the forwarders, which is running what?

The build number for LWF/main package of Splunk is confusingly identical to that of the UF.

mw · ‎06-07-2011

Try this:

index=_internal source=*metrics.log group=tcpin_connections | dedup sourceHost, sourceIp | table sourceHost, sourceIp, ssl, lastIndexer, fwdType

View solution in original post

mw · ‎06-07-2011

Try this:

index=_internal source=*metrics.log group=tcpin_connections | dedup sourceHost, sourceIp | table sourceHost, sourceIp, ssl, lastIndexer, fwdType

Jason · ‎06-09-2011

Great. This also works in 4.2, and contains hostnames instead of IPs (in our environment at least): index=_internal source=fwd | dedup hostname | table hostname, ssl, lastIndexer, fwdType

How to identify Lightweight Forwarders vs Universal Forwarders from Deployment Server?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation