I'm dealing with an environment of mixed Lightweight Forwarders and Universal Forwarders. How can I tell, without logging into the forwarders, which is running what?
The build number for LWF/main package of Splunk is confusingly identical to that of the UF.
Try this:
index=_internal source=*metrics.log group=tcpin_connections | dedup sourceHost, sourceIp | table sourceHost, sourceIp, ssl, lastIndexer, fwdType
Try this:
index=_internal source=*metrics.log group=tcpin_connections | dedup sourceHost, sourceIp | table sourceHost, sourceIp, ssl, lastIndexer, fwdType
Great. This also works in 4.2, and contains hostnames instead of IPs (in our environment at least): index=_internal source=fwd | dedup hostname | table hostname, ssl, lastIndexer, fwdType