Getting Data In
Highlighted

How to identify Lightweight Forwarders vs Universal Forwarders from Deployment Server?

Motivator

I'm dealing with an environment of mixed Lightweight Forwarders and Universal Forwarders. How can I tell, without logging into the forwarders, which is running what?

The build number for LWF/main package of Splunk is confusingly identical to that of the UF.

0 Karma
Highlighted

Re: How to identify Lightweight Forwarders vs Universal Forwarders from Deployment Server?

Splunk Employee
Splunk Employee

Try this:

index=_internal source=*metrics.log group=tcpin_connections | dedup sourceHost, sourceIp | table sourceHost, sourceIp, ssl, lastIndexer, fwdType

View solution in original post

Highlighted

Re: How to identify Lightweight Forwarders vs Universal Forwarders from Deployment Server?

Motivator

Great. This also works in 4.2, and contains hostnames instead of IPs (in our environment at least): index=_internal source=fwd | dedup hostname | table hostname, ssl, lastIndexer, fwdType

0 Karma