topic Re: No data from TCP input in Getting Data In

No data from TCP input

siva_cg — Mon, 26 Aug 2019 14:31:45 GMT

Hi All,

We have a Splunk environment running on 6.2.2. We configured a TCP input to receive logs directly from network device to Indexer. The configurations are as below:

inputs.conf
[tcp://:11514]
index=x
source=y
sourcetype=z
acceptFrom=IP

I see, all connections are fine and on checking the network logs, I am seeing that Indexer has acknowledged for the data but still I am unable to see the data in Splunk. What could be the issue? could you please help to resolve it? Thanks in advance.
(I have similar configurations for another source and it is working as expected)

Re: No data from TCP input

mayurr98 — Mon, 26 Aug 2019 17:55:36 GMT

You could try tcpdump -i eth0 tcp port 11514 -nn to see if traffic is actually flowing while Splunk is running.

Re: No data from TCP input

DavidHourani — Mon, 26 Aug 2019 19:12:40 GMT

try it without the acceptFrom=IP first to make sure that's not denying anything..

Re: No data from TCP input

siva_cg — Tue, 27 Aug 2019 07:09:41 GMT

@mayurr98 , I have taken tcpdump and traffic is flowing

Re: No data from TCP input

solarboyz1 — Tue, 27 Aug 2019 20:53:31 GMT

When you are searching for the event's in Splunk are you using all time or specifying a time range? If a timestamp is not getting parsed from the data correctly, its possible a future or past date is used which will prevent the events from showing up in a time constrained search.

| metadata index=x type=hosts

Do you see the host reporting?

Check to see if the events timestamps are off:

The lastTime field is the timestamp for the last time that the indexer saw an event from this host.
The recentTime field is the indextime for the most recent time that the index saw an event from this host. In other words, this is the time of the last update

Re: No data from TCP input

siva_cg — Thu, 29 Aug 2019 08:49:50 GMT

Hi @solarboyz1,
I tried with All Time and future time as well but not luck. This is only source configured to Splunk and not receiving logs

Re: No data from TCP input

siva_cg — Thu, 29 Aug 2019 08:50:33 GMT

@DavidHourani, I tried but no luck.

Re: No data from TCP input

DavidHourani — Thu, 29 Aug 2019 14:57:52 GMT

So the port is listening, data is coming in to the port and the remote server is able to connect BUT nothing is going to splunk ?

What's the sourcetype ? Syslog ?

Re: No data from TCP input

DavidHourani — Thu, 29 Aug 2019 15:43:50 GMT

A good way to debug this is to use another splunk server in the same network zone. Do you have any HF that you can use ? Better if it's a server with nothing going on it, that way you can really understand if you're problem is from your input stanza, from the network or from the source.

Re: No data from TCP input

solarboyz1 — Thu, 29 Aug 2019 15:50:14 GMT

Is the index created?

Do you see any error related to this input or index in the _internal logs?

Have you tried using a non-splunk listener (netcat) to verify the format of the data coming in?