Multiple sourcetypes and listenners on the same ud...

foufoumad · ‎10-09-2019

I have some questions concerning a Splunk deployment i'm working on, we have a single Splunk instance and we want to forward all the logs from network equipment to it directly.

Can we send all the data to UDP/514 while defining multiple sourcetypes, since the default syslog port cannot be changed in some devices.
is it possible to set multiple listeners with the same port somthing along "host::port"
"host_ip_1:514"
"host_ip_2:514"
.
.
etc.

We're afraid that if we just open the UDP/514 and dump all the data with only one sourcetype defined (syslog), it'll be harder to manage the data and integrate it with some Splunk Apps that require specific sourcetypes.

what would you suggest?

Excuse the rookie question, i'm new to splunk.

gcusello · ‎10-10-2019

Hi foufoumad,
you have to ingest all sources with a sourcetype (e.g. syslog) then override the sourcetype based on regex.
The main job is to identify a regex for each kind of source.
For more information see at https://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides

In few words:
on props.conf

[syslog]
TRANSFORMS-changesourcetype_source1 = set_sourcetype_1
TRANSFORMS-changesourcetype_source2 = set_sourcetype_2

on transforms.conf

[set_sourcetype_1]
REGEX = your_regex1
FORMAT = sourcetype::your_new_sourcetype_1
DEST_KEY = MetaData:Sourcetype
[set_sourcetype_2]
REGEX = your_regex2
FORMAT = sourcetype::your_new_sourcetype_2
DEST_KEY = MetaData:Sourcetype

Bye.
Giuseppe

starcher · ‎10-09-2019

Don't use Splunk for Syslog network ports. Send syslog to a syslog receiver and pick it up with a universal forwarder.

Multiple sourcetypes and listenners on the same udp port.

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!