Hi,
I am new to Splunk. I want to know if I can tell the differences of roles of Splunk servers using the REST API. For example, is it possible to know if a Splunk server is a heavy forwarder or a universal forwarder, or an indexer?
Thanks.
You can tell if it is a UF because that has a particular package that is different than the full enterprise package. The other roles are determined by how you configure it. For example, for a non-UF server, if it has a serverclass.conf
file (which you can check with the REST API), then it is a DS. If it has an outputs.conf
file, then it is a HF. If it has a distserach.conf
file, then it is a Search Head (which covers MC, LC, DS, so this does not tell anything other than it is not an Indexer or UF).
I know this is an old post but every Splunk enterprise server in a distributed deployment, except indexers, should have outputs.conf to forward its internal logs to the indexer(s). Also, the MC doesn't have a HF role designated, so I assume you aren't referring to MC roles here, just a function that server is performing. Is that right?
I have looked into that REST API. I am trying out Splunk now so I am not sure whether some of the roles are associated with licenses or not. For now, my splunk enterprise installs have ["license_master","indexer"] roles and my universal forwarder has ["universal_forwarder","license_master"] roles. I cannot see "heavyweight_forwarder" in the roles endpoint although I have configured one enterprise instance to forward data. Is it related to licensing or do I need to use a deployment server to assign roles (and can it even be done with trial license)?