Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What kind of forwarder do I have?

robert_vincent
Engager
‎07-11-2013 05:02 AM

I've inherited a distributed Splunk installation with no internal documentation and no access to the tech who originally installed it.

How can I tell, from examination of config files, whether a given forwarder is "Light", "Heavy", or "Universal" ?

0 Karma
Reply

linu1988
Champion
‎07-11-2013 05:12 AM

check the inputs.conf/outputs.conf files. They will give you a hint

0 Karma
Reply

rroberts
Splunk Employee
Splunk Employee
‎07-11-2013 05:12 AM

One way to do it:

Check your metrics.log for the value of a field called fwdType. You'll see:

UF (universal), LWF (Light Weight Fowarder, HWF (Heavy Weight Fowarder), FULL (splunk forwarding) for values.

Search: index=_internal source=*metrics.log fwdType= *

Example event:

INFO Metrics - group=tcpin_connections, 76.89.103.115:63150:9998, connectionType=cooked, sourcePort=63150, sourceHost=76.89.103.115, sourceIp=76.89.103.115, destPort=9998, _tcp_Bps=28427.55, _tcp_KBps=27.76, _tcp_avg_thruput=27.76, kb=415.15, tcpKprocessed=415.15, _tcp_eps=17.19, build=143156, version=5.0.1, os=Windows, arch=x64, hostname=Rick-Dualcore, guid=22A95A43-68AE-4052-9864-8B771F34A8F0, fwdType=full, ssl=false, lastIndexer=None, ack=false

Reply

varad_joshi
Communicator
‎10-13-2016 11:21 PM

Thank you for this. If my Splunk is listening on UDP as well then will to show here?
I searched in my environment with 'index=_internal source=*metrics.log | top fwdType' and I got only uf and full. How do I get UDP as well?

0 Karma
Reply

varad_joshi
Communicator
‎10-13-2016 11:27 PM

I typed that too early..

Little search and I was able to find it.

index=_internal source=*metrics.log group=udpin_connections | dedup sourcePort

0 Karma
Reply

rroberts
Splunk Employee
Splunk Employee
‎07-11-2013 08:14 AM

Great thanks!

0 Karma
Reply

robert_vincent
Engager
‎07-11-2013 06:26 AM

Thanks; I modified your suggested search as follows:

index=_internal source=*metrics.log | top fwdType

Looks like all our forwarders are "uf"

0 Karma
Reply

linu1988
Champion
‎07-11-2013 05:29 AM

And for Heavy/Light you will have a full splunk instance i.e. splunkd, splunkweb will be available but not in universal forwarder..

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...