Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

What kind of forwarder do I have?

robert_vincent
Engager
‎07-11-2013 05:02 AM

I've inherited a distributed Splunk installation with no internal documentation and no access to the tech who originally installed it.

How can I tell, from examination of config files, whether a given forwarder is "Light", "Heavy", or "Universal" ?

0 Karma
Reply

linu1988
Champion
‎07-11-2013 05:12 AM

check the inputs.conf/outputs.conf files. They will give you a hint

0 Karma
Reply

rroberts
Splunk Employee
Splunk Employee
‎07-11-2013 05:12 AM

One way to do it:

Check your metrics.log for the value of a field called fwdType. You'll see:

UF (universal), LWF (Light Weight Fowarder, HWF (Heavy Weight Fowarder), FULL (splunk forwarding) for values.

Search: index=_internal source=*metrics.log fwdType= *

Example event:

INFO Metrics - group=tcpin_connections, 76.89.103.115:63150:9998, connectionType=cooked, sourcePort=63150, sourceHost=76.89.103.115, sourceIp=76.89.103.115, destPort=9998, _tcp_Bps=28427.55, _tcp_KBps=27.76, _tcp_avg_thruput=27.76, kb=415.15, tcpKprocessed=415.15, _tcp_eps=17.19, build=143156, version=5.0.1, os=Windows, arch=x64, hostname=Rick-Dualcore, guid=22A95A43-68AE-4052-9864-8B771F34A8F0, fwdType=full, ssl=false, lastIndexer=None, ack=false

Reply

varad_joshi
Communicator
‎10-13-2016 11:21 PM

Thank you for this. If my Splunk is listening on UDP as well then will to show here?
I searched in my environment with 'index=_internal source=*metrics.log | top fwdType' and I got only uf and full. How do I get UDP as well?

0 Karma
Reply

varad_joshi
Communicator
‎10-13-2016 11:27 PM

I typed that too early..

Little search and I was able to find it.

index=_internal source=*metrics.log group=udpin_connections | dedup sourcePort

0 Karma
Reply

rroberts
Splunk Employee
Splunk Employee
‎07-11-2013 08:14 AM

Great thanks!

0 Karma
Reply

robert_vincent
Engager
‎07-11-2013 06:26 AM

Thanks; I modified your suggested search as follows:

index=_internal source=*metrics.log | top fwdType

Looks like all our forwarders are "uf"

0 Karma
Reply

linu1988
Champion
‎07-11-2013 05:29 AM

And for Heavy/Light you will have a full splunk instance i.e. splunkd, splunkweb will be available but not in universal forwarder..

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...