Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What kind of forwarder do I have?

robert_vincent
Engager
‎07-11-2013 05:02 AM

I've inherited a distributed Splunk installation with no internal documentation and no access to the tech who originally installed it.

How can I tell, from examination of config files, whether a given forwarder is "Light", "Heavy", or "Universal" ?

0 Karma
Reply

linu1988
Champion
‎07-11-2013 05:12 AM

check the inputs.conf/outputs.conf files. They will give you a hint

0 Karma
Reply

rroberts
Splunk Employee
Splunk Employee
‎07-11-2013 05:12 AM

One way to do it:

Check your metrics.log for the value of a field called fwdType. You'll see:

UF (universal), LWF (Light Weight Fowarder, HWF (Heavy Weight Fowarder), FULL (splunk forwarding) for values.

Search: index=_internal source=*metrics.log fwdType= *

Example event:

INFO Metrics - group=tcpin_connections, 76.89.103.115:63150:9998, connectionType=cooked, sourcePort=63150, sourceHost=76.89.103.115, sourceIp=76.89.103.115, destPort=9998, _tcp_Bps=28427.55, _tcp_KBps=27.76, _tcp_avg_thruput=27.76, kb=415.15, tcpKprocessed=415.15, _tcp_eps=17.19, build=143156, version=5.0.1, os=Windows, arch=x64, hostname=Rick-Dualcore, guid=22A95A43-68AE-4052-9864-8B771F34A8F0, fwdType=full, ssl=false, lastIndexer=None, ack=false

Reply

varad_joshi
Communicator
‎10-13-2016 11:21 PM

Thank you for this. If my Splunk is listening on UDP as well then will to show here?
I searched in my environment with 'index=_internal source=*metrics.log | top fwdType' and I got only uf and full. How do I get UDP as well?

0 Karma
Reply

varad_joshi
Communicator
‎10-13-2016 11:27 PM

I typed that too early..

Little search and I was able to find it.

index=_internal source=*metrics.log group=udpin_connections | dedup sourcePort

0 Karma
Reply

rroberts
Splunk Employee
Splunk Employee
‎07-11-2013 08:14 AM

Great thanks!

0 Karma
Reply

robert_vincent
Engager
‎07-11-2013 06:26 AM

Thanks; I modified your suggested search as follows:

index=_internal source=*metrics.log | top fwdType

Looks like all our forwarders are "uf"

0 Karma
Reply

linu1988
Champion
‎07-11-2013 05:29 AM

And for Heavy/Light you will have a full splunk instance i.e. splunkd, splunkweb will be available but not in universal forwarder..

0 Karma
Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...