https://community.splunk.com/t5/Getting-Data-In/How-to-configure-different-sourcetypes-for-udp-port-514/m-p/165782#M33625 <P>Why when I restrict host I don't receive anything?There is some specific configuration?<BR /> My firewall and my switch are allow to send logs.</P> Mon, 01 Feb 2016 18:43:53 GMT tiagomiranda 2016-02-01T18:43:53Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-different-sourcetypes-for-udp-port-514/m-p/165772#M33615 <P>Hello,</P> <P>I have configured two network devices (cisco router and fortigate firewall) to send logs to Splunk server via udp port 514 .I can successfully see all the raw logs but particular apps wont show any data because the sourcetype doesnt match.I cant define different sourcetypes to same udp port in "data inputs".How can I overcome this issue ?</P> Mon, 29 Dec 2014 10:52:45 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-different-sourcetypes-for-udp-port-514/m-p/165772#M33615 aeshan 2014-12-29T10:52:45Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-different-sourcetypes-for-udp-port-514/m-p/165773#M33616 <P>You can use the following in your inputs.conf</P> <PRE><CODE>[udp://123.456.789:514] index = networking sourcetype = cisco [udp://123.456.890:514] index = networking sourcetype = fortinet </CODE></PRE> Mon, 29 Dec 2014 14:56:32 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-different-sourcetypes-for-udp-port-514/m-p/165773#M33616 treinke 2014-12-29T14:56:32Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-different-sourcetypes-for-udp-port-514/m-p/165774#M33617 <P>Thank you very much for the solution.Can you please specify which inputs.conf file I should edited.I saw there several inputs.conf files in several folders.</P> Wed, 31 Dec 2014 04:36:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-different-sourcetypes-for-udp-port-514/m-p/165774#M33617 aeshan 2014-12-31T04:36:18Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-different-sourcetypes-for-udp-port-514/m-p/165775#M33618 <P>whats your splunk topology and source paths? </P> Wed, 31 Dec 2014 04:49:14 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-different-sourcetypes-for-udp-port-514/m-p/165775#M33618 jayannah 2014-12-31T04:49:14Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-different-sourcetypes-for-udp-port-514/m-p/165776#M33619 <P>you can edit in local directory of app name folder<BR /> $SPLUNK_HOME/etc/apps/app-name/local/inputs.conf<BR /> or you can directly modify from splunk web <BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Enableareceiver">http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Enableareceiver</A></P> Wed, 31 Dec 2014 04:53:06 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-different-sourcetypes-for-udp-port-514/m-p/165776#M33619 kml_uvce 2014-12-31T04:53:06Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-different-sourcetypes-for-udp-port-514/m-p/165777#M33620 <P>When you configure the inputs from the website, the inputs.conf file will be in the app folder that you were in before you when in to the inputs section. For example if you were in the Search &amp; Reporting app, current location for your inputs.conf would be in </P> <PRE><CODE>$SPLUNK_HOME/etc/apps/search/local/inputs.conf </CODE></PRE> <P>If you are not sure where to store your file with these stanzas, you can use</P> <PRE><CODE>$SPLUNK_HOME/etc/system/local/inputs.conf </CODE></PRE> Wed, 31 Dec 2014 05:24:02 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-different-sourcetypes-for-udp-port-514/m-p/165777#M33620 treinke 2014-12-31T05:24:02Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-different-sourcetypes-for-udp-port-514/m-p/165778#M33621 <P>Hi @aeshan</P> <P>Did Anthony Reinke's or @kml_uvce's answers below solve your question? If yes, please accept the one that did to resolve this post by clicking "Accept" right below the appropriate answer. Thanks!</P> <P>Patrick</P> Wed, 07 Jan 2015 02:45:34 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-different-sourcetypes-for-udp-port-514/m-p/165778#M33621 ppablo 2015-01-07T02:45:34Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-different-sourcetypes-for-udp-port-514/m-p/165779#M33622 <P>Hi..</P> <P>Edit the inputs.conf file in $SPLUNK_HOME/etc/apps/app-name/local/inputs.conf or $SPLUNK_HOME/etc/system/local/inputs.conf or $SPLUNK_HOME/etc/apps/search/local/inputs.conf <BR /> Note : no need to edit and enter the below configuration in all the input file. any one of the file is fine</P> <P>[udp://ipaddressofthedevice:514]<BR /> index = linux<BR /> sourcetype = linuxevents</P> <P>[udp://ipaddressofthdevice:514]<BR /> index = linux<BR /> sourcetype = syslog</P> <P>Ex : <BR /> [udp://10.1.1.10:514]<BR /> index = linux<BR /> sourcetype = linuxevents</P> <P>[udp://192.168.1.9:514]<BR /> index = linux<BR /> sourcetype = syslog</P> Mon, 28 Sep 2020 18:34:58 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-different-sourcetypes-for-udp-port-514/m-p/165779#M33622 82padarthi 2020-09-28T18:34:58Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-different-sourcetypes-for-udp-port-514/m-p/165780#M33623 <P>Up to the config, you cannot define more than one input for the same port: <BR /> [udp://<REMOTE server="">:<PORT>]<BR /> * Similar to TCP, except that it listens on a UDP port.<BR /> * Only one stanza per port number is currently supported.</PORT></REMOTE></P> <P>However, did it work for any of you?? </P> Mon, 19 Oct 2015 23:05:40 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-different-sourcetypes-for-udp-port-514/m-p/165780#M33623 jdanij 2015-10-19T23:05:40Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-different-sourcetypes-for-udp-port-514/m-p/165781#M33624 <P>you are adding an ip address to limit the input selection. if you added <CODE>[udp://514]</CODE> to the inputs.conf file, you are saying any ip address on UDP port 514. This is really more like <CODE>[udp://*:514]</CODE> . When you add the ip address in to the stanza, you are narrowing down the parameters. So <CODE>[udp://123.456.789:514]</CODE> is saying from this ip on this port, do the following the in the stanza.</P> Wed, 21 Oct 2015 20:23:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-different-sourcetypes-for-udp-port-514/m-p/165781#M33624 treinke 2015-10-21T20:23:13Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-different-sourcetypes-for-udp-port-514/m-p/165782#M33625 <P>Why when I restrict host I don't receive anything?There is some specific configuration?<BR /> My firewall and my switch are allow to send logs.</P> Mon, 01 Feb 2016 18:43:53 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-different-sourcetypes-for-udp-port-514/m-p/165782#M33625 tiagomiranda 2016-02-01T18:43:53Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-different-sourcetypes-for-udp-port-514/m-p/165783#M33626 <P>are you seeing the packets with tcpdump/wireshark on the Splunk server?</P> Mon, 01 Feb 2016 18:51:33 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-different-sourcetypes-for-udp-port-514/m-p/165783#M33626 treinke 2016-02-01T18:51:33Z https://community.splunk.com/t5/Getting-Data-In/How-to-configure-different-sourcetypes-for-udp-port-514/m-p/638636#M109049 <P>This exactly as stated here, totally worked for us (Splunk 9)<BR />Create the inputs.con file, add stanza as indicated here, no more no less and save the file. In Config Explorer do a debug/refresh and you will see these special inputs appear in the GUI as "[IP]:[PORT]" and data will trickle in to the specified index(es) using the specified sourcetype.</P> Tue, 04 Apr 2023 11:14:02 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-configure-different-sourcetypes-for-udp-port-514/m-p/638636#M109049 amnonh 2023-04-04T11:14:02Z