topic Re: Where do I configure the host in Splunk Light to collect data from a socket of an external device? in Getting Data In

Where do I configure the host in Splunk Light to collect data from a socket of an external device?

PepePelotas — Fri, 27 Jan 2017 16:17:12 GMT

I am evaluating Splunk Light.
I want to collect data from a socket port on an external device. I was hoping that by configuring a TCP data input, entering the correct port number and source type, I would be able to get that data into Splunk Light. However, I am missing one datapoint, the host where the data needs to come from.
The Add Data panel asks me for TCP/UDP, port number, Source name override, and Accept connections from.
Source type is CSV, Method is either IP or DNS, let's say IP and Index is default.

Where do I configure the host the data needs to come from? This is a hardware device and is not able to run a forwarder.

Re: Where do I configure the host in Splunk Light to collect data from a socket of an external device?

gokadroid — Fri, 27 Jan 2017 18:41:07 GMT

Hope this small story of a similar example of implementation helps which was as follows:

There was Host A on which there was log file A and forwarder couldn't be installed on Host A. There was Host B on which Splunk was running. So to get the data from Host A to Host B Splunk, on Host B Splunk tcp input was configured to listen on port 12345.

Python script was asked to run on Host A to read log file A and when done reading, fire this output to Host B, port 12345 where Splunk will be waiting to receive it. The logs then stayed in Splunk index happily ever after.

In your case if script cannot be put on Host A then there shall be an intermediate implementation which will first read the data from Host A (hardware) port xxxx and then forward it to Host B port 12345 where Splunk will be ready to receive. Choice of implementation shall be yours based on your environment, accessibility and security concerns.

Re: Where do I configure the host in Splunk Light to collect data from a socket of an external device?

PepePelotas — Sat, 28 Jan 2017 12:43:14 GMT

There is a host A on which a service is running which exposes data on TCP socket port 14150.
There is a host B on which Splunk is installed.
On host B TCP input was configured to listen on port 14150.
There is no possibility to run a script or any other application on host A.
So to get the data from host A to host B Splunk on host B needs to be able to establish a TCP connection on host A port 14150.
Is this possible? Or do i need to run a netcat or socat on host B which connects to host A port 14150 and redirects the data to host B port 14150 so Splunk can receive it? It looks to me that this should be a direct process without intervention of a third party program running on the same host as where Splunk is running. Am i missing something?