Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to tell what kind of forwarders in the environment?

lguinn2
Legend
‎10-24-2012 05:12 PM

I am new to a Splunk environment, and there are a lot of forwarders running. How can identify which forwarders are Universal Forwarders or Light Forwarders or Heavy Forwarders?

I want to configure timezone information in props.conf, but I am not sure where to put it.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

rroberts
Splunk Employee
Splunk Employee
‎10-24-2012 05:29 PM

search Index=_internal tcpin*

fwdType field holds forwarder type.

For example:
group=tcpin_connections, 204.236.145.235:54219:9997, connectionType=cooked, sourcePort=54219, sourceHost=204.236.145.235, sourceIp=204.236.145.235, destPort=9997, _tcp_Bps=24.84, _tcp_KBps=0.02, _tcp_avg_thruput=0.11, kb=0.75, _tcp_Kprocessed=4.79, _tcp_eps=0.06, build=128297, version=4.3.3, os=Linux, arch=x86_64, hostname=ip-10-166-186-254-archStudent, guid=2BEF811B-5EEB-469B-AD71-52A8FD6ECD00, fwdType=uf, ssl=false, lastIndexer=50.18.74.20:9997, ack=false

View solution in original post

Reply
Solved! Jump to solution

lguinn2
Legend
‎10-24-2012 06:40 PM

The indexers keep status info about every contact they have with forwarders. This is stored in the Splunk metrics.log, and is accessible in the _internal index. You can run this search to get some info about the forwarders:

index=_internal source=*metrics.log group=tcpin_connections 
| eval sourceHost=if(isnull(hostname), sourceHost,hostname) 
| dedup sourceHost
| eval connectionType =case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectionType=="cooked" or connectionType =="cookedSSL","Splunk fwder", connectionType =="raw" or connectionType =="rawSSL","legacy fwder")
| eval version=if(isnull(version),"pre 4.2",version)
| table connectionType sourceIp sourceHost destPort version

And BTW, you could put the same props.conf on all the forwarders and indexers. The universal forwarders and light forwarders will simply ignore any settings (like timezone) that are related to parsing.

Reply
Solved! Jump to solution

bmacias84
Champion
‎10-24-2012 05:59 PM

Hello lguinn,

Youc an use the metrics.log to gather info on your forwarder topology.

Here a quick sample:



index=_internal source="$SPLUNK_HOME/Splunk/var/log/splunk/metrics.log*" sourcetype="splunkd" fwdType="*" | dedup sourceHost|table sourceHost, hostname, fwdType, guid, os, arch

OUTPUT:


sourceHost          hostname    fwdType  guid                                os arch

1   xxx.xxx.xx.135  SERVER02    uf  57xxxxx9-016D-4xxx3-xxC8-BA2xxxxxx46    Linux x64


2   xx.xxx.xxx.167  DESKTOP01   uf  xxxx48506-BAED-4xxxA-8xxx5-13Fxxxxxxx00 Windows x64


fwdType should contain the different forwarder types in your enviornment. As for configuring timezones. You would place in inthe props.conf file on your indexers.

Example:



#this will apply to all host start with RIFDE to eastcoast

[host::RIFDE*]

TZ = US/Eastern

OR

[source::.../delaware/web_access.log]

TZ = US/Eastern

Hope this helps you. cheers.

Reply
Solved! Jump to solution
Solution

rroberts
Splunk Employee
Splunk Employee
‎10-24-2012 05:29 PM

search Index=_internal tcpin*

fwdType field holds forwarder type.

For example:
group=tcpin_connections, 204.236.145.235:54219:9997, connectionType=cooked, sourcePort=54219, sourceHost=204.236.145.235, sourceIp=204.236.145.235, destPort=9997, _tcp_Bps=24.84, _tcp_KBps=0.02, _tcp_avg_thruput=0.11, kb=0.75, _tcp_Kprocessed=4.79, _tcp_eps=0.06, build=128297, version=4.3.3, os=Linux, arch=x86_64, hostname=ip-10-166-186-254-archStudent, guid=2BEF811B-5EEB-469B-AD71-52A8FD6ECD00, fwdType=uf, ssl=false, lastIndexer=50.18.74.20:9997, ack=false

Reply
Solved! Jump to solution

lguinn2
Legend
‎10-24-2012 06:41 PM

Dang, I have to type my own answer faster!

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...