<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: add new data source via UDP to indexer in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142833#M29183</link>
    <description>&lt;P&gt;$SPLUNK_HOME is the installation location of Splunk on that system. Usually on *nix based machines, this is /opt/splunk/ and I think on Windows is C:\Program Files\Splunk\&lt;/P&gt;</description>
    <pubDate>Thu, 14 Nov 2013 16:28:53 GMT</pubDate>
    <dc:creator>jtrucks</dc:creator>
    <dc:date>2013-11-14T16:28:53Z</dc:date>
    <item>
      <title>add new data source via UDP to indexer</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142830#M29180</link>
      <description>&lt;P&gt;I have a Splunk indexer running on Ubuntu that forwards to the Splunk web on a Windows box and I want to add a new data source to the Ubuntu system.  How do I go about doing this from the command line?  I am fairly new to both Splunk and Ubuntu, so the more detailed answer the better.&lt;/P&gt;</description>
      <pubDate>Thu, 14 Nov 2013 15:35:51 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142830#M29180</guid>
      <dc:creator>glenngermiathen</dc:creator>
      <dc:date>2013-11-14T15:35:51Z</dc:date>
    </item>
    <item>
      <title>Re: add new data source via UDP to indexer</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142831#M29181</link>
      <description>&lt;P&gt;As shown in the manual section on &lt;A href="http://docs.splunk.com/Documentation/Splunk/6.0/Data/Configureyourinputs#Use_the_CLI"&gt;getting data into Splunk via CLI&lt;/A&gt;, the most basic method is simply to run:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;$SPLUNK_HOME/bin/splunk add monitor /path/to/log/directory
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;OR&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;$SPLUNK_HOME/bin/splunk add monitor /path/to/log/filename
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Run this as the user Splunk runs as on the system.&lt;/P&gt;

&lt;P&gt;If you want to specify the sourcetype and/or index, then it would look like:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;$SPLUNK_HOME/bin/splunk add monitor /path/to/log/filename -sourcetype mysourcetypehere -index myotherindexhere
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;If you use a different index, it should already exist on the indexer. You can omit either or both of the &lt;CODE&gt;-sourcetype&lt;/CODE&gt; or &lt;CODE&gt;-index&lt;/CODE&gt; flags above.&lt;/P&gt;

&lt;P&gt;Run &lt;CODE&gt;$SPLUNK_HOME/bin/splunk help monitor&lt;/CODE&gt; to see more complete details.&lt;/P&gt;</description>
      <pubDate>Thu, 14 Nov 2013 15:44:59 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142831#M29181</guid>
      <dc:creator>jtrucks</dc:creator>
      <dc:date>2013-11-14T15:44:59Z</dc:date>
    </item>
    <item>
      <title>Re: add new data source via UDP to indexer</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142832#M29182</link>
      <description>&lt;P&gt;Thanks, how do I determine where $SPLUNK_HOME is?&lt;/P&gt;</description>
      <pubDate>Thu, 14 Nov 2013 16:21:25 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142832#M29182</guid>
      <dc:creator>glenngermiathen</dc:creator>
      <dc:date>2013-11-14T16:21:25Z</dc:date>
    </item>
    <item>
      <title>Re: add new data source via UDP to indexer</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142833#M29183</link>
      <description>&lt;P&gt;$SPLUNK_HOME is the installation location of Splunk on that system. Usually on *nix based machines, this is /opt/splunk/ and I think on Windows is C:\Program Files\Splunk\&lt;/P&gt;</description>
      <pubDate>Thu, 14 Nov 2013 16:28:53 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142833#M29183</guid>
      <dc:creator>jtrucks</dc:creator>
      <dc:date>2013-11-14T16:28:53Z</dc:date>
    </item>
    <item>
      <title>Re: add new data source via UDP to indexer</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142834#M29184</link>
      <description>&lt;P&gt;All great information.  I know our firewall is feeding data into the indexer, but how do I determine where the /path/to/log/directory or /path/to/log/logfile is so that I can add the data source?&lt;/P&gt;</description>
      <pubDate>Thu, 14 Nov 2013 17:34:31 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142834#M29184</guid>
      <dc:creator>glenngermiathen</dc:creator>
      <dc:date>2013-11-14T17:34:31Z</dc:date>
    </item>
    <item>
      <title>Re: add new data source via UDP to indexer</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142835#M29185</link>
      <description>&lt;P&gt;If the indexer is getting the data via syslog, look at /etc/syslog.conf, /etc/syslog-ng.conf, or /etc/rsyslog.conf depending on what syslog daemon you use.&lt;/P&gt;</description>
      <pubDate>Thu, 14 Nov 2013 17:56:46 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142835#M29185</guid>
      <dc:creator>jtrucks</dc:creator>
      <dc:date>2013-11-14T17:56:46Z</dc:date>
    </item>
    <item>
      <title>Re: add new data source via UDP to indexer</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142836#M29186</link>
      <description>&lt;P&gt;I guess that is where Im confused, so Im taking over an existing build for the former admin that left.  Mutiple sources are feeding into the indexer and I want to add a new firewall into it too. Im trying to determine where each data stream is going, but when I look at both /etc/syslog-ng.conf and /etc/rsyslog.conf I dont see anything indicating this information.&lt;/P&gt;</description>
      <pubDate>Thu, 14 Nov 2013 18:11:01 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142836#M29186</guid>
      <dc:creator>glenngermiathen</dc:creator>
      <dc:date>2013-11-14T18:11:01Z</dc:date>
    </item>
    <item>
      <title>Re: add new data source via UDP to indexer</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142837#M29187</link>
      <description>&lt;P&gt;Ahh! In your indexer's splunkweb UI, go to Manager » Data inputs and look in those sections to see if you can find something obviously labeled that corresponds to your syslog based sources. This will start showing you where these things come from to get to your indexer.&lt;/P&gt;</description>
      <pubDate>Thu, 14 Nov 2013 18:30:23 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142837#M29187</guid>
      <dc:creator>jtrucks</dc:creator>
      <dc:date>2013-11-14T18:30:23Z</dc:date>
    </item>
    <item>
      <title>Re: add new data source via UDP to indexer</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142838#M29188</link>
      <description>&lt;P&gt;Im not sure if this is right or not, but I dont think my indexer is running a splunk web UI.  From my understanding the indexer is just a command line ubuntu build which feeds into the splunk web head on a Windows build.  I checked the data inputs from the web interface on the Windows box, but I couldnt see anything that helped me there.  Any other ideas?&lt;/P&gt;</description>
      <pubDate>Thu, 14 Nov 2013 18:46:34 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142838#M29188</guid>
      <dc:creator>glenngermiathen</dc:creator>
      <dc:date>2013-11-14T18:46:34Z</dc:date>
    </item>
    <item>
      <title>Re: add new data source via UDP to indexer</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142839#M29189</link>
      <description>&lt;P&gt;That means that your ubuntu system is a Splunk Forwarder client and the Windows system is the Splunk Indexer server. Go look at the "source" field for any event in your indexer listed as "sourcetype=syslog" like:&lt;/P&gt;

&lt;P&gt;sourcetype=syslog | head 1 | table source&lt;/P&gt;

&lt;P&gt;That should get you a list of the source, which is most likely a file path to the files on the syslog machine. It could be a TCP connection, which means the data goes directly to the indexer, which makes it a rather different situation.&lt;/P&gt;</description>
      <pubDate>Thu, 14 Nov 2013 18:53:46 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142839#M29189</guid>
      <dc:creator>jtrucks</dc:creator>
      <dc:date>2013-11-14T18:53:46Z</dc:date>
    </item>
    <item>
      <title>Re: add new data source via UDP to indexer</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142840#M29190</link>
      <description>&lt;P&gt;It appears to be a straight UDP feed into the forwarder.&lt;/P&gt;</description>
      <pubDate>Thu, 14 Nov 2013 19:14:21 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142840#M29190</guid>
      <dc:creator>glenngermiathen</dc:creator>
      <dc:date>2013-11-14T19:14:21Z</dc:date>
    </item>
    <item>
      <title>Re: add new data source via UDP to indexer</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142841#M29191</link>
      <description>&lt;P&gt;To clarify, it is a UDP feed into the Ubuntu machine?&lt;/P&gt;</description>
      <pubDate>Thu, 14 Nov 2013 19:17:17 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142841#M29191</guid>
      <dc:creator>jtrucks</dc:creator>
      <dc:date>2013-11-14T19:17:17Z</dc:date>
    </item>
    <item>
      <title>Re: add new data source via UDP to indexer</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142842#M29192</link>
      <description>&lt;P&gt;Yes, UDP into the ubuntu forwarder&lt;/P&gt;</description>
      <pubDate>Thu, 14 Nov 2013 19:25:21 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142842#M29192</guid>
      <dc:creator>glenngermiathen</dc:creator>
      <dc:date>2013-11-14T19:25:21Z</dc:date>
    </item>
    <item>
      <title>Re: add new data source via UDP to indexer</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142843#M29193</link>
      <description>&lt;P&gt;The firewall information is getting to the Splunk web.  I can see the raw data, but it isnt being parsed like the old firewall we were using.  I cant create searches by src or dest IP port etc.&lt;/P&gt;</description>
      <pubDate>Thu, 14 Nov 2013 20:06:06 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142843#M29193</guid>
      <dc:creator>glenngermiathen</dc:creator>
      <dc:date>2013-11-14T20:06:06Z</dc:date>
    </item>
    <item>
      <title>Re: add new data source via UDP to indexer</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142844#M29194</link>
      <description>&lt;P&gt;I suspect the new firewall might be showing as a different source and the extracts are per source, not sourcetype. Go to Manager » Fields » Field extractions to see if the firewall extracts are listed with "source::" in the front. If so, you may need to create a new one using sourcetype instead, or copy the existing one and create it using your new firewall source.&lt;/P&gt;</description>
      <pubDate>Thu, 14 Nov 2013 20:41:59 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142844#M29194</guid>
      <dc:creator>jtrucks</dc:creator>
      <dc:date>2013-11-14T20:41:59Z</dc:date>
    </item>
    <item>
      <title>Re: add new data source via UDP to indexer</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142845#M29195</link>
      <description>&lt;P&gt;That doesnt seem to be it.  The firewall doesnt have the source:: before it.&lt;/P&gt;</description>
      <pubDate>Thu, 14 Nov 2013 21:07:40 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142845#M29195</guid>
      <dc:creator>glenngermiathen</dc:creator>
      <dc:date>2013-11-14T21:07:40Z</dc:date>
    </item>
    <item>
      <title>Re: add new data source via UDP to indexer</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142846#M29196</link>
      <description>&lt;P&gt;I think you need to read &lt;A href="http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Addfieldsatsearchtime"&gt;http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Addfieldsatsearchtime&lt;/A&gt; and check out the &lt;A href="http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Addfieldsatsearchtime#Use_interactive_field_extraction_to_create_new_fields"&gt;http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Addfieldsatsearchtime#Use_interactive_field_extraction_to_create_new_fields&lt;/A&gt; section specifically. Try to extract some of the fields with your new source and then it will suggest what extracts it sorta looks like. Also, you need to have a much stronger understanding of how Splunk field extractions, sources, and sourcetypes work to get much further managing it.&lt;/P&gt;</description>
      <pubDate>Thu, 14 Nov 2013 21:45:34 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142846#M29196</guid>
      <dc:creator>jtrucks</dc:creator>
      <dc:date>2013-11-14T21:45:34Z</dc:date>
    </item>
    <item>
      <title>Re: add new data source via UDP to indexer</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142847#M29197</link>
      <description>&lt;P&gt;I think the issue you posted on here is answered, which is to get your firewall data into Splunk.&lt;/P&gt;

&lt;P&gt;Perhaps go read the above, maybe experiment, and then create a NEW answers post with the extract question to get better visibility into it. Meanwhile, this issue of getting the data should likely be marked answered...&lt;/P&gt;</description>
      <pubDate>Thu, 14 Nov 2013 21:46:25 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142847#M29197</guid>
      <dc:creator>jtrucks</dc:creator>
      <dc:date>2013-11-14T21:46:25Z</dc:date>
    </item>
    <item>
      <title>Re: add new data source via UDP to indexer</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142848#M29198</link>
      <description>&lt;P&gt;Further reading for you: &lt;A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Howtousethismanual"&gt;http://docs.splunk.com/Documentation/Splunk/latest/Admin/Howtousethismanual&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 14 Nov 2013 21:49:13 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142848#M29198</guid>
      <dc:creator>jtrucks</dc:creator>
      <dc:date>2013-11-14T21:49:13Z</dc:date>
    </item>
    <item>
      <title>Re: add new data source via UDP to indexer</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142849#M29199</link>
      <description>&lt;P&gt;Also, check this out to understand forwarders: &lt;A href="http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Aboutforwardingandreceivingdata"&gt;http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Aboutforwardingandreceivingdata&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;And to understand ingesting data: &lt;A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkcanmonitor"&gt;http://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkcanmonitor&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 14 Nov 2013 21:50:12 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/add-new-data-source-via-UDP-to-indexer/m-p/142849#M29199</guid>
      <dc:creator>jtrucks</dc:creator>
      <dc:date>2013-11-14T21:50:12Z</dc:date>
    </item>
  </channel>
</rss>

