Getting Data In

How would I know my Linux and Windows machine have UF/HF installed on them?

SplunkDash
Motivator

Hello,

How would I know my Linux and Windows machine have UF/HF installed on them? One of them is installed in my machines for sure that I know.... but how I would know which one (UF or HF) .... What is the indicator if UF is there and What is the indicator if HF is there? I would appreciate your help on it and thank you so much. 

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @SplunkDash,

yes, splunk means HF and splunkforwarder mens UF.

As I said, remember that you can have the same information on Monitoring Console and Deployment Server (if you use it).

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

HI @SplunkDash,

in the Monitoring Console and in Forwarder Management on the Deployment Server, you have many information about your Forwarders:

  • hostname
  • IP
  • type (HF or UF),
  • peak throughput
  • avg throughput.

About configurations, you have to see the Deployment Server (if you have it) or the system that you use to manage your clients (Ansible?).

Ciao.

Giuseppe

0 Karma

SplunkDash
Motivator

Hello @gcusello  and @PickleRick ,

Thank you so much for your response and support in these efforts.

I have 6 servers and all of them have Forwarders installed on them. I have the full admin CLI access to all of them. I can see 2 of them have the splunk folders/subdirectories and 4 of them have the splunkforwarder folders. @PickleRick mentioned we should have splunkforwarder folder for the server where UF installed on it. So the server those have splunk folders have the HF installed on them, and sercers with splunkforwarder folders have UF? Please let me know if these are the correct statements. Thank you so much once again, and truly appreciate your support in these efforts.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

It's not that easy that folder name alone gives you 100% confidence. One could have installed HF in /opt/splunk directory. It's kinda unprobable but possible. And older UFs did install to /opt/splunk instead of /opt/splunkforwarder.

So that's a indicator that if the folder is named /opt/splunkforwarder you have some 95% chance that it's UF.

I'd try the "splunk version" approach to be sure.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SplunkDash,

yes, splunk means HF and splunkforwarder mens UF.

As I said, remember that you can have the same information on Monitoring Console and Deployment Server (if you use it).

Ciao.

Giuseppe

SplunkDash
Motivator

@gcuselloand @PickleRick 

Perfect!!! thank you so much again!

 

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Depends on how "deeply" you want to look for it.

In case of a typical linux installation I'd simply check package manager for splunk packages and check if there is any /opt/splunk* directory. Similarily with windows I'd check list of installed software and checked the default installation place - c:\program files\splunk* (can also try program files (x86) just to be on the safe side). But if you want to be sure that noone installed splunk components anywhere in the filesystem... well, you should comb your disks for any occurrence of spkunkd executable file on linux and splunkd.exe on windows. Can't help with mac. I suppose it will be similar to linux, but I've never worked with splunk on mac (and I tend to avoid macs altogether).

SplunkDash
Motivator

Hello PickleRick,

Thank you so much for your response. All looked good. But my question was how would I know if this is UF or HF? I know forwarder is there...that I can check from the options you mentioned... however, how would I know if this is HF or UF? Thank you so much again. 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Ah, so you know that you have a splunk component installed you just don't know which one?

Well, HF is a full Splunk Enterprise installation that simply doesn't do indexing.

With more recent releases it's relatively easy to spot the difference because UF installs to spkunkforwarder directory instead of just splunk but... I'm not sure how it works with installations upgraded, for example, from 7.3 to 8.1.

But if your /opt or program files subdirectory is called splunkforwarder, then it's definity a UF. There should also be a difference in files contained within splunk's directory of course - look inside etc/apps dir - UF will have a SplunkUniversalForwarder, HF will most probably have SplunkForwarder instead.

But first thing I'd check would be to simply run "splunk version".

(09:41:38) (root@splunk:~)
# /opt/splunk/bin/splunk version
Splunk 8.2.5 (build 77015bc7a462)

and

(09:40:31) (user@laptop:~)
$ sudo /opt/splunkforwarder/bin/splunk version
Splunk Universal Forwarder 8.2.6 (build a6fe1ee8894b)

or

C:\WINDOWS\system32>"\Program Files\SplunkUniversalForwarder\bin\splunk.exe" version
Splunk Universal Forwarder 7.2.3 (build 06d57c595b80)
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...