Solved: Splunk Forwarder ? Full Fat Client ? Indexer ?

AaronMoorcroft · ‎03-28-2013

Hi Guys

I have an instance of Splunk installed on a sevrer which I need to upgrade I was under the impression that it was a forwarder however it has the web interface with tools avaiable, im told that this is a full fat client.

what should I be downloading to upgrade this instance with ? and will it have any effect on what work its already doing ? after upgrading,

Edit>>>

Ok So I have a little more info on this, I managed to get hold of the previous employee who looked after this, this specific installation im told is a Full Fat Forwarder, Ver 4.3.2 I still need to upgrade to the latest ver of 5.x.x

I gather that full fat forwarders no longer exist ? and it would be a universal forwarder that would now be downloaded and installed over the top of this, is that correct ? again would everything still work as it currently is ?

kristian_kolb · ‎03-28-2013

They sure do still exist. It's the same installation package as indexer/search head. There are just two products to choose from;
a) Universal Forwarder
b) Splunk

A full splunk installation can be an indexer (receives events), a search head (web gui for end users) or both. It can also act as a Heavy Forwarder. The difference is that you have configured it to NOT index events locally, and instead forward them to another splunk instance (namely the indexer). You can also opt to disable the web gui when running Splunk in the HF or indexer role.

As for upgrading you can just upgrade with a new version of Splunk (the full ), i.e. not Universal Forwarder.

You can install a UF instead of a full splunk, but it will not overwrite the existing installaion or inherit any of its configurations.

Hope this helps,

Kristian

View solution in original post

kristian_kolb · ‎03-28-2013

They sure do still exist. It's the same installation package as indexer/search head. There are just two products to choose from;
a) Universal Forwarder
b) Splunk

A full splunk installation can be an indexer (receives events), a search head (web gui for end users) or both. It can also act as a Heavy Forwarder. The difference is that you have configured it to NOT index events locally, and instead forward them to another splunk instance (namely the indexer). You can also opt to disable the web gui when running Splunk in the HF or indexer role.

As for upgrading you can just upgrade with a new version of Splunk (the full ), i.e. not Universal Forwarder.

You can install a UF instead of a full splunk, but it will not overwrite the existing installaion or inherit any of its configurations.

Hope this helps,

Kristian

kristian_kolb · ‎03-29-2013

you're welcome 🙂

AaronMoorcroft · ‎03-28-2013

Hey, Just completed the upgrade on our server without any issues at all, just wanted to say thanks again for your help, your a star

kristian_kolb · ‎03-28-2013

Yes, but DO read the following first, just in case;

http://docs.splunk.com/Documentation/Splunk/latest/Installation/HowtoupgradeSplunk

AaronMoorcroft · ‎03-28-2013

Thank you thats a great help, so if I go ahead and install a full installation of Splunk over the top of what I already have, would I be right in presuming that it will just keep all the settings it currently has and that will be that ?

Splunk Forwarder ? Full Fat Client ? Indexer ?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk