Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

What kind of forwarder do I have?

robert_vincent
Engager
‎07-11-2013 05:02 AM

I've inherited a distributed Splunk installation with no internal documentation and no access to the tech who originally installed it.

How can I tell, from examination of config files, whether a given forwarder is "Light", "Heavy", or "Universal" ?

0 Karma
Reply

linu1988
Champion
‎07-11-2013 05:12 AM

check the inputs.conf/outputs.conf files. They will give you a hint

0 Karma
Reply

rroberts
Splunk Employee
Splunk Employee
‎07-11-2013 05:12 AM

One way to do it:

Check your metrics.log for the value of a field called fwdType. You'll see:

UF (universal), LWF (Light Weight Fowarder, HWF (Heavy Weight Fowarder), FULL (splunk forwarding) for values.

Search: index=_internal source=*metrics.log fwdType= *

Example event:

INFO Metrics - group=tcpin_connections, 76.89.103.115:63150:9998, connectionType=cooked, sourcePort=63150, sourceHost=76.89.103.115, sourceIp=76.89.103.115, destPort=9998, _tcp_Bps=28427.55, _tcp_KBps=27.76, _tcp_avg_thruput=27.76, kb=415.15, tcpKprocessed=415.15, _tcp_eps=17.19, build=143156, version=5.0.1, os=Windows, arch=x64, hostname=Rick-Dualcore, guid=22A95A43-68AE-4052-9864-8B771F34A8F0, fwdType=full, ssl=false, lastIndexer=None, ack=false

Reply

varad_joshi
Communicator
‎10-13-2016 11:21 PM

Thank you for this. If my Splunk is listening on UDP as well then will to show here?
I searched in my environment with 'index=_internal source=*metrics.log | top fwdType' and I got only uf and full. How do I get UDP as well?

0 Karma
Reply

varad_joshi
Communicator
‎10-13-2016 11:27 PM

I typed that too early..

Little search and I was able to find it.

index=_internal source=*metrics.log group=udpin_connections | dedup sourcePort

0 Karma
Reply

rroberts
Splunk Employee
Splunk Employee
‎07-11-2013 08:14 AM

Great thanks!

0 Karma
Reply

robert_vincent
Engager
‎07-11-2013 06:26 AM

Thanks; I modified your suggested search as follows:

index=_internal source=*metrics.log | top fwdType

Looks like all our forwarders are "uf"

0 Karma
Reply

linu1988
Champion
‎07-11-2013 05:29 AM

And for Heavy/Light you will have a full splunk instance i.e. splunkd, splunkweb will be available but not in universal forwarder..

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...