topic Re: Why is TCP data not being indexed? in Getting Data In

Why is TCP data not being indexed?

a212830 — Wed, 26 Oct 2016 17:57:41 GMT

Hi,

I have a feed of events coming into my Splunk Heavy Forwarder, but they aren't being indexed, and I'm baffled. Here's my inputs.conf:

[tcp://:1918]
index = istr_security 
sourcetype =  bcoat_proxysg
disabled = false

[tcp://:1919]
index = istr_security
sourcetype = bcoat_proxysg_plug
disabled = false
`
[tcp://:1920]
connection_host = dns
source = tcp:1920
index = istr_security
sourcetype = bcoat_proxysg_socks
disabled = false

1918 works. It's been in place for a long time. We are now sending 1920, but it's not showing up. I checked future events, and looked in the logs for any errors, but can't find any. I do see these messages, but they seem to be telling me that Splunk is now reading my port. I did a packet capture, and data is arriving.

10-26-2016 13:51:47.027 -0400 INFO  TcpInputConfig - IPv4 port 1920 is reserved for raw input
10-26-2016 13:51:47.027 -0400 INFO  TcpInputConfig - IPv4 port 1920 will negotiate new-s2s protocol
10-26-2016 13:51:47.027 -0400 INFO  TcpInputProc - Creating raw Acceptor for IPv4 port 1920 with Non-SSL

Re: Why is TCP data not being indexed?

jwelch_splunk — Thu, 27 Oct 2016 02:03:17 GMT

What happens if you try:

[tcp://:1920]
 #connection_host = dns
 #source = tcp:1920
 index = istr_security
 sourcetype = answers_test
 disabled = false

and:
[tcp://:1920]
 #connection_host = dns
 source = tcp:1920
 index = istr_security
 sourcetype = answers_test
 disabled = false

and:

[tcp://:1920]
 connection_host = dns
 source = tcp:1920
 index = istr_security
 sourcetype = answers_test
 disabled = false

Re: Why is TCP data not being indexed?

sloshburch — Thu, 27 Oct 2016 20:41:07 GMT

There's a tick mark on line 10 - is that a typo in the answers post?

If you change the port from 1920 to something else, does it work?

When Splunk is stopped on that host, is another process using that port? (netstat -an | grep 1920)

Re: Why is TCP data not being indexed?

Richfez — Fri, 28 Oct 2016 13:43:19 GMT

And please confirm that you have no firewalls blocking the traffic, either host based or network based.

Re: Why is TCP data not being indexed?

a212830 — Sat, 29 Oct 2016 22:38:19 GMT

Fixed. LTM issue - Splunk was fine.

Re: Why is TCP data not being indexed?

a212830 — Sat, 29 Oct 2016 22:39:23 GMT

And they found the issue with Splunk! hahahaha!

Re: Why is TCP data not being indexed?

pgadhari — Sat, 26 Jan 2019 08:58:39 GMT

can you please explain what was the issue at LTM side ? I am also facing the same problem ? can you tell me the fix for the same ? anything needs to be done from Splunk side ?? Please reply. Thanks.