I've inherited a distributed Splunk installation with no internal documentation and no access to the tech who originally installed it.
How can I tell, from examination of config files, whether a given forwarder is "Light", "Heavy", or "Universal" ?
check the inputs.conf/outputs.conf files. They will give you a hint
One way to do it:
Check your metrics.log for the value of a field called fwdType. You'll see:
UF (universal), LWF (Light Weight Fowarder, HWF (Heavy Weight Fowarder), FULL (splunk forwarding) for values.
Search: index=_internal source=*metrics.log fwdType= *
Example event:
INFO Metrics - group=tcpin_connections, 76.89.103.115:63150:9998, connectionType=cooked, sourcePort=63150, sourceHost=76.89.103.115, sourceIp=76.89.103.115, destPort=9998, _tcp_Bps=28427.55, _tcp_KBps=27.76, _tcp_avg_thruput=27.76, kb=415.15, tcpKprocessed=415.15, _tcp_eps=17.19, build=143156, version=5.0.1, os=Windows, arch=x64, hostname=Rick-Dualcore, guid=22A95A43-68AE-4052-9864-8B771F34A8F0, fwdType=full, ssl=false, lastIndexer=None, ack=false
Thank you for this. If my Splunk is listening on UDP as well then will to show here?
I searched in my environment with 'index=_internal source=*metrics.log | top fwdType' and I got only uf and full. How do I get UDP as well?
I typed that too early..
Little search and I was able to find it.
index=_internal source=*metrics.log group=udpin_connections | dedup sourcePort
Great thanks!
Thanks; I modified your suggested search as follows:
index=_internal source=*metrics.log | top fwdType
Looks like all our forwarders are "uf"
And for Heavy/Light you will have a full splunk instance i.e. splunkd, splunkweb will be available but not in universal forwarder..