<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: How do I get Splunk to listen to data over RELP? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-do-I-get-Splunk-to-listen-to-data-over-RELP/m-p/315436#M59017</link>
    <description>&lt;P&gt;To the best of my knowledge, Splunk does not support RELP.  This is (as I'm sure you know) an rsyslog specific protocol that, while documented thoroughly, has only a few implementations outside of rsyslog itself.  I don't even know how you've gotten network devices to send using RELP, but that might have been easy &lt;span class="lia-unicode-emoji" title=":winking_face:"&gt;😉&lt;/span&gt;&lt;/P&gt;</description>
    <pubDate>Thu, 23 Feb 2017 03:42:01 GMT</pubDate>
    <dc:creator>dwaddle</dc:creator>
    <dc:date>2017-02-23T03:42:01Z</dc:date>
    <item>
      <title>How do I get Splunk to listen to data over RELP?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-do-I-get-Splunk-to-listen-to-data-over-RELP/m-p/315435#M59016</link>
      <description>&lt;P&gt;For quite a while, I've been attempting to make an identical deployment of a Splunk Enterprise instance.&lt;BR /&gt;
The original one I have is working just fine, however I've tried multiple ways to get the same data from the original deployment into the new deployment, with little success. (Someone previously suggested that I copy the entire SPLUNK_HOME folder to the new machine, however I'm aiming to set the new one up from scratch)&lt;/P&gt;

&lt;P&gt;I've singled the issue out to an issue with RELP.&lt;BR /&gt;
We're currently using Splunk to index syslog messages from network devices - these are then sent from an rsyslog server via RELP to the Splunk server.&lt;BR /&gt;
These messages are being received fine on the current Splunk Server, but not the new one I've been attempting to set up. I have edited the necessary configurations on rsyslog to tell it to send data to the new Splunk server, however it is doesn't seem to be receiving anything.&lt;BR /&gt;
For the record, when I configured rsyslog to send the data to the new machine over TCP, Splunk was receiving it fine, however I am required to get it working over RELP.&lt;/P&gt;

&lt;P&gt;Would anyone know what I need to do to get the data through via RELP? I think it's something to do with the Splunk server side however I am not 100% sure.&lt;BR /&gt;
Thanks in advance for your help.&lt;/P&gt;</description>
      <pubDate>Thu, 23 Feb 2017 01:24:07 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-do-I-get-Splunk-to-listen-to-data-over-RELP/m-p/315435#M59016</guid>
      <dc:creator>remmerson</dc:creator>
      <dc:date>2017-02-23T01:24:07Z</dc:date>
    </item>
    <item>
      <title>Re: How do I get Splunk to listen to data over RELP?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-do-I-get-Splunk-to-listen-to-data-over-RELP/m-p/315436#M59017</link>
      <description>&lt;P&gt;To the best of my knowledge, Splunk does not support RELP.  This is (as I'm sure you know) an rsyslog specific protocol that, while documented thoroughly, has only a few implementations outside of rsyslog itself.  I don't even know how you've gotten network devices to send using RELP, but that might have been easy &lt;span class="lia-unicode-emoji" title=":winking_face:"&gt;😉&lt;/span&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 23 Feb 2017 03:42:01 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-do-I-get-Splunk-to-listen-to-data-over-RELP/m-p/315436#M59017</guid>
      <dc:creator>dwaddle</dc:creator>
      <dc:date>2017-02-23T03:42:01Z</dc:date>
    </item>
  </channel>
</rss>

