Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Without have access to the universal forwarder, can I check whether it is sending data to the heavy forwarder?

Sharmarohit1234
New Member
‎10-03-2018 09:42 PM

Hi All,

I am relatively new to Splunk, In my environment we are using deployment server to manage the deployment apps on universal forwarders.

During the installation of universal forwarders, we specify the deployment server in deployment.conf.

But we have not mentioned anything about forwarding the data to the heavy forwarder (HF).

On the web interface of our heavy forwarders, under forwarding and receiving, I cannot see any configuration set up.

How can I check whether universal forwarders are sending data to HF? Are indexers or data getting managed by the deployment server?

I don't have access to the universal forwarders as these are managed by some different team.

So I have to check the configuration within the HF, Indexer or deployment servers.

Regards
Rohit

0 Karma
Reply

harsmarvania57
Ultra Champion
‎10-04-2018 02:59 AM

Hi @Sharmarohit1234,

You can use below query to check which servers (Universal Forwarders, Heavy Forwarders, Search Heads OR any other Splunk servers) are sending data to Indexers.

index=_internal host=INDEXER_SERVERNAME source=*metrics.log* group=tcpin_connections | dedup hostname | table _time hostname os arch version sourceIp destPort fwdType ssl

In above query if you change INDEXER_SERVERNAME with HeavyForwarder_SERVERNAME you will able to figure out if any universal forwarders are sending data to Heavy Forwarder or not.

I didn't get your question Data is getting managed by Deployment server?, Deployment server will deploy configuration to UF, Heavy Forwarders etc. but it will not manage any data.

0 Karma
Reply

Sharmarohit1234
New Member
‎10-04-2018 05:06 PM

Thanks for your answer, I was not sure yesterday whether deployment server can manage the data as well or just apps, did some more research and found my answer.

Thanks for your support.
Regards
Rohit

0 Karma
Reply

iamarkaprabha
Contributor
‎10-03-2018 10:42 PM

You need to open up that port for sending data into your Deployment server.
If you have any FW on your env, you need to probably open that up too

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...