All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Ever since I installed this app, nothing else has been showing data on udp:514?

bcdatacomm
Explorer
‎03-13-2015 12:19 PM

When I installed the app and set it up using the guide, I also set it up to use it's own index. I set it up to send the data over https. But for some reason now, nothing is showing in my regular index that udp:514 is sent to. I stopped getting entries at the exact time I installed this app. What did it do to hijack udp:514?

:/etc# lsof -i :514
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
splunkd 13946 root 37u IPv4 2709215 0t0 TCP *:shell (LISTEN)
splunkd 13946 root 44u IPv4 2709220 0t0 UDP *:syslog

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

TonyLeeVT
Builder
‎03-13-2015 01:10 PM

Problem solved. Changed props.conf settings below and it fixed the issue. We tested this change in the FireEye app and it did not seem to break anything, thus we pushed a new version to the app store. Note: we need the linemerge for json and xml over syslog, but it seems to break intelligently thus far.

[syslog]
TRUNCATE=0
SHOULD_LINEMERGE = false
LINE_BREAKER = ((?!))

-to-

[syslog]

TRUNCATE=0

SHOULD_LINEMERGE = true

LINE_BREAKER = ((?!))

Thanks to bcdatacomm for bringing this issue to our attention.

View solution in original post

Reply
Solved! Jump to solution

bcdatacomm
Explorer
‎03-13-2015 01:26 PM

Thanks again for the quick help and resolution!

0 Karma
Reply
Solved! Jump to solution
Solution

TonyLeeVT
Builder
‎03-13-2015 01:10 PM

Problem solved. Changed props.conf settings below and it fixed the issue. We tested this change in the FireEye app and it did not seem to break anything, thus we pushed a new version to the app store. Note: we need the linemerge for json and xml over syslog, but it seems to break intelligently thus far.

[syslog]
TRUNCATE=0
SHOULD_LINEMERGE = false
LINE_BREAKER = ((?!))

-to-

[syslog]

TRUNCATE=0

SHOULD_LINEMERGE = true

LINE_BREAKER = ((?!))

Thanks to bcdatacomm for bringing this issue to our attention.

Reply
Solved! Jump to solution

TonyLeeVT
Builder
‎03-13-2015 12:34 PM

No problem. I will look at props in the mean time and try to shuffle what I believe to be the offenders to a lower stanza. Then I will test the app and see if it breaks anything. Thanks for bringing this to our attention.

0 Karma
Reply
Solved! Jump to solution

bcdatacomm
Explorer
‎03-13-2015 12:32 PM

Wow, talk about a fast response! Thanks! I'll email you shortly.

0 Karma
Reply
Solved! Jump to solution

TonyLeeVT
Builder
‎03-13-2015 12:24 PM

It is most likely because the app accepts traffic as syslog and then parses it into different sourcetypes. Some of the regex may be catching some of your other traffic. If you email me directly via the feedback dropdown in the app, we can set up a webex and figure out what is going on. Then we can fix it for you and others.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...