Parsing logs from UDP input

test_qweqwe — Wed, 01 Nov 2017 01:48:03 GMT

I installed addon for my product but the problem is that the addon is intended to collect data from the file, and not from receiving at udp 514 port. How should I reconfigure conf files to make it work?

Re: Parsing logs from UDP input

hardikJsheth — Wed, 01 Nov 2017 05:25:43 GMT

There are multiple options.
1. You can update stanza to listen for UDP traffic on port 514.

[udp://2514]
sourcetype = Your Sourcetype
index= Define it if it's other than main

Use syslogd/rsyslogd to listen for UDP traffic on port 514 and then put those contents into file which will be read by Splunk. You can keep your inputs.conf configuration as is and configure syslogd to put logs into the same file for which you have input configuration. Sample configuration is as follows:
```
$ModLoad imudp
$UDPServerRun 514
### Put logs to file ###
$template rtflow,"$YOURFILELOCATION"
if $msg contains 'RT_FLOW' then -?rtflow
& ~
```

I would prefer second option as the chance of data loss is reduced in case of Splunk server is restarted.

topic Re: Parsing logs from UDP input in Getting Data In

Parsing logs from UDP input

Re: Parsing logs from UDP input