All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Ever since I installed this app, nothing else has been showing data on udp:514?

bcdatacomm
Explorer
‎03-13-2015 12:19 PM

When I installed the app and set it up using the guide, I also set it up to use it's own index. I set it up to send the data over https. But for some reason now, nothing is showing in my regular index that udp:514 is sent to. I stopped getting entries at the exact time I installed this app. What did it do to hijack udp:514?

:/etc# lsof -i :514
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
splunkd 13946 root 37u IPv4 2709215 0t0 TCP *:shell (LISTEN)
splunkd 13946 root 44u IPv4 2709220 0t0 UDP *:syslog

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

TonyLeeVT
Builder
‎03-13-2015 01:10 PM

Problem solved. Changed props.conf settings below and it fixed the issue. We tested this change in the FireEye app and it did not seem to break anything, thus we pushed a new version to the app store. Note: we need the linemerge for json and xml over syslog, but it seems to break intelligently thus far.

[syslog]
TRUNCATE=0
SHOULD_LINEMERGE = false
LINE_BREAKER = ((?!))

-to-

[syslog]

TRUNCATE=0

SHOULD_LINEMERGE = true

LINE_BREAKER = ((?!))

Thanks to bcdatacomm for bringing this issue to our attention.

View solution in original post

Reply
Solved! Jump to solution

bcdatacomm
Explorer
‎03-13-2015 01:26 PM

Thanks again for the quick help and resolution!

0 Karma
Reply
Solved! Jump to solution
Solution

TonyLeeVT
Builder
‎03-13-2015 01:10 PM

Problem solved. Changed props.conf settings below and it fixed the issue. We tested this change in the FireEye app and it did not seem to break anything, thus we pushed a new version to the app store. Note: we need the linemerge for json and xml over syslog, but it seems to break intelligently thus far.

[syslog]
TRUNCATE=0
SHOULD_LINEMERGE = false
LINE_BREAKER = ((?!))

-to-

[syslog]

TRUNCATE=0

SHOULD_LINEMERGE = true

LINE_BREAKER = ((?!))

Thanks to bcdatacomm for bringing this issue to our attention.

Reply
Solved! Jump to solution

TonyLeeVT
Builder
‎03-13-2015 12:34 PM

No problem. I will look at props in the mean time and try to shuffle what I believe to be the offenders to a lower stanza. Then I will test the app and see if it breaks anything. Thanks for bringing this to our attention.

0 Karma
Reply
Solved! Jump to solution

bcdatacomm
Explorer
‎03-13-2015 12:32 PM

Wow, talk about a fast response! Thanks! I'll email you shortly.

0 Karma
Reply
Solved! Jump to solution

TonyLeeVT
Builder
‎03-13-2015 12:24 PM

It is most likely because the app accepts traffic as syslog and then parses it into different sourcetypes. Some of the regex may be catching some of your other traffic. If you email me directly via the feedback dropdown in the app, we can set up a webex and figure out what is going on. Then we can fix it for you and others.

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...