Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What kind of forwarder do I have?

robert_vincent
Engager
‎07-11-2013 05:02 AM

I've inherited a distributed Splunk installation with no internal documentation and no access to the tech who originally installed it.

How can I tell, from examination of config files, whether a given forwarder is "Light", "Heavy", or "Universal" ?

0 Karma
Reply

linu1988
Champion
‎07-11-2013 05:12 AM

check the inputs.conf/outputs.conf files. They will give you a hint

0 Karma
Reply

rroberts
Splunk Employee
Splunk Employee
‎07-11-2013 05:12 AM

One way to do it:

Check your metrics.log for the value of a field called fwdType. You'll see:

UF (universal), LWF (Light Weight Fowarder, HWF (Heavy Weight Fowarder), FULL (splunk forwarding) for values.

Search: index=_internal source=*metrics.log fwdType= *

Example event:

INFO Metrics - group=tcpin_connections, 76.89.103.115:63150:9998, connectionType=cooked, sourcePort=63150, sourceHost=76.89.103.115, sourceIp=76.89.103.115, destPort=9998, _tcp_Bps=28427.55, _tcp_KBps=27.76, _tcp_avg_thruput=27.76, kb=415.15, tcpKprocessed=415.15, _tcp_eps=17.19, build=143156, version=5.0.1, os=Windows, arch=x64, hostname=Rick-Dualcore, guid=22A95A43-68AE-4052-9864-8B771F34A8F0, fwdType=full, ssl=false, lastIndexer=None, ack=false

Reply

varad_joshi
Communicator
‎10-13-2016 11:21 PM

Thank you for this. If my Splunk is listening on UDP as well then will to show here?
I searched in my environment with 'index=_internal source=*metrics.log | top fwdType' and I got only uf and full. How do I get UDP as well?

0 Karma
Reply

varad_joshi
Communicator
‎10-13-2016 11:27 PM

I typed that too early..

Little search and I was able to find it.

index=_internal source=*metrics.log group=udpin_connections | dedup sourcePort

0 Karma
Reply

rroberts
Splunk Employee
Splunk Employee
‎07-11-2013 08:14 AM

Great thanks!

0 Karma
Reply

robert_vincent
Engager
‎07-11-2013 06:26 AM

Thanks; I modified your suggested search as follows:

index=_internal source=*metrics.log | top fwdType

Looks like all our forwarders are "uf"

0 Karma
Reply

linu1988
Champion
‎07-11-2013 05:29 AM

And for Heavy/Light you will have a full splunk instance i.e. splunkd, splunkweb will be available but not in universal forwarder..

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...