All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Customize inputs.conf Palo Alto - Multiple sources udp:514

wvalente
Explorer
‎12-05-2018 02:47 AM

Dear,

I configured the inputs.conf of the palo alto app exactly as the documentation.

However, in addition to the palo alto logs, I get other logs via udp: 514. The configuration in inputs.conf is forwarding all logs via 514 to the pan: log sourcetype.

How could I change only the high-pit logs to the sourcetype pan: log?

0 Karma
Reply

panguy
Contributor
‎12-12-2018 11:42 AM

https://answers.splunk.com/answers/205815/how-to-configure-different-sourcetypes-for-udp-por.html

You can use the following in your inputs.conf

[udp://SOURCE_IP:PORT]
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎12-06-2018 06:52 AM

Three options:

Best: let a dedicated syslog daemon receive the data, write to disk, let a universal forwarder read the log files and assign sourcetypes per file.

Bad: make each source use a distinct port.

Bad: keep all sources at one port, define props/transforms to rewrite source types, index, etc based on the event, host, etc.

0 Karma
Reply

dkeck
Influencer
‎12-05-2018 02:58 AM

Hi,

I am pretty certain, that splunk can handle one sourcetype for one UDP:Port input.

I think a dedicated syslog server could deal with this though.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...