Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

4.2 UDP input with source IP: not working?

twinspop
Influencer
‎03-25-2011 06:39 PM

EDIT: I've discovered this only happens if I specify more than one stanza on the same port -- different remote IPs, same UDP port. The way I read the docs, it sounded like you could overload a port by specifying the remote IPs. Is that not the case?

[udp://10.1.168.158:7901]
host = myhostname
sourcetype = syslog

Doesn't work. Am I m issing something? If I leave out the source IP specifier it works fine. Attempting to edit this entry in the GUI coughs up an error about the UDP port not being an integer.

Per inputs.conf docs on splunk.com:

[udp://<remote server>:<port>]
* Similar to TCP, except that it listens on a UDP port.
* Configure Splunk to listen on a specific port. 
* If <remote server> is specified, the specified port will only accept data from that server.
* If <remote server> is empty - [udp://<port>] - the port will accept data sent from any server.

tcpdump confirms the source IP and destination port:

14:41:30.773817 xxxxx > xxxxx, ethertype IPv4 (0x0800), length 198: 10.1.168.158.32774 > 10.5.130.206.7901: UDP
Tags (2)
0 Karma
Reply

jbsplunk
Splunk Employee
Splunk Employee
‎03-25-2011 07:24 PM

I just added the following input on my indexer via inputs.conf:

[udp://10.1.40.16:1514]
source = downvote
sourcetype = downvote

Then I generated 3000 events. Prior to that I had the input set up like this:

[udp://1514]
source = downvote
sourcetype = downvote

My event count is now sitting at 4000 on the 4.2 indexer where I sent the events.

Reply

twinspop
Influencer
‎03-27-2011 05:38 PM

Change the sourcetype and/or source so you can tell which stanza is providing the data you're seeing. Also, add another stanza with a different remote IP (and souretype/source). The remote IP specific entries will go dormant.

0 Karma
Reply

twinspop
Influencer
‎03-25-2011 07:34 PM

Yes, without specifying the remote IP it works.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...