https://community.splunk.com/t5/Getting-Data-In/Adding-a-custom-quot-handler-quot-to-TCP-UDP-input/m-p/23781#M96592 <P>Hi Damien, don't forget to "accept" an answer by clicking the outlined check-mark to the left of it.</P> Thu, 09 Jun 2011 16:15:35 GMT dwaddle 2011-06-09T16:15:35Z https://community.splunk.com/t5/Getting-Data-In/Adding-a-custom-quot-handler-quot-to-TCP-UDP-input/m-p/23777#M96588 <P>Does such a facility exist within SPLUNK by which you can add a custom "handler" to a TCP or UDP socket input ?</P> <P>Such a scenario might be where you want to send data to SPLUNK via TCP, and this data might be a proprietary layer 4 network protocol that requires a custom handler to first decode the raw protocol bytes into a textual format before passing on to SPLUNK indexing.</P> <P>I could quite easily write a "scripted input" that listens on a socket and outputs decoded bytes to STDOUT, but it would be nice if I could just write a custom "handler" that chains onto a standard TCP input.</P> <P>Regards,</P> <P>Damien D.</P> Tue, 07 Jun 2011 03:39:42 GMT https://community.splunk.com/t5/Getting-Data-In/Adding-a-custom-quot-handler-quot-to-TCP-UDP-input/m-p/23777#M96588 Damien_Dallimor 2011-06-07T03:39:42Z https://community.splunk.com/t5/Getting-Data-In/Adding-a-custom-quot-handler-quot-to-TCP-UDP-input/m-p/23778#M96589 <P>Such a facility does not exist at this time. At least, not that is accessible to us customers. Splunk may have such a technique they use internally - but I don't think they expose any kind of API for us to get at it.</P> <P>If this is something you want Splunk to consider you should submit an ER for it.<BR /><BR /> <A href="http://splunk-base.splunk.com/answers/4844/how-can-i-submit-an-enhancement-request">http://splunk-base.splunk.com/answers/4844/how-can-i-submit-an-enhancement-request</A></P> Tue, 07 Jun 2011 14:41:06 GMT https://community.splunk.com/t5/Getting-Data-In/Adding-a-custom-quot-handler-quot-to-TCP-UDP-input/m-p/23778#M96589 dwaddle 2011-06-07T14:41:06Z https://community.splunk.com/t5/Getting-Data-In/Adding-a-custom-quot-handler-quot-to-TCP-UDP-input/m-p/23779#M96590 <P>Just write a scripted input, especially if you are confident that you can do it. What is the difference between that and a custom handler? </P> <P>In general, your handler will provide the bottleneck, so the underlying TCP and UDP sockets don't really buy you anything. </P> <P>If you just <STRONG>must</STRONG> use Splunk's sockets, have your scripted input listen on one port, do your decoding, and send the plain-text stream to a Splunk socket listening on another port.</P> Tue, 07 Jun 2011 17:19:35 GMT https://community.splunk.com/t5/Getting-Data-In/Adding-a-custom-quot-handler-quot-to-TCP-UDP-input/m-p/23779#M96590 araitz 2011-06-07T17:19:35Z https://community.splunk.com/t5/Getting-Data-In/Adding-a-custom-quot-handler-quot-to-TCP-UDP-input/m-p/23780#M96591 <P>Thanks guys..I think I'll go with the scripted input proxying on to a Splunk socket input.</P> <P>Damien D. </P> Tue, 07 Jun 2011 21:38:53 GMT https://community.splunk.com/t5/Getting-Data-In/Adding-a-custom-quot-handler-quot-to-TCP-UDP-input/m-p/23780#M96591 Damien_Dallimor 2011-06-07T21:38:53Z https://community.splunk.com/t5/Getting-Data-In/Adding-a-custom-quot-handler-quot-to-TCP-UDP-input/m-p/23781#M96592 <P>Hi Damien, don't forget to "accept" an answer by clicking the outlined check-mark to the left of it.</P> Thu, 09 Jun 2011 16:15:35 GMT https://community.splunk.com/t5/Getting-Data-In/Adding-a-custom-quot-handler-quot-to-TCP-UDP-input/m-p/23781#M96592 dwaddle 2011-06-09T16:15:35Z