EDIT: I've discovered this only happens if I specify more than one stanza on the same port -- different remote IPs, same UDP port. The way I read the docs, it sounded like you could overload a port by specifying the remote IPs. Is that not the case?
[udp://10.1.168.158:7901] host = myhostname sourcetype = syslog
Doesn't work. Am I m issing something? If I leave out the source IP specifier it works fine. Attempting to edit this entry in the GUI coughs up an error about the UDP port not being an integer.
Per inputs.conf docs on splunk.com:
[udp://<remote server>:<port>] * Similar to TCP, except that it listens on a UDP port. * Configure Splunk to listen on a specific port. * If <remote server> is specified, the specified port will only accept data from that server. * If <remote server> is empty - [udp://<port>] - the port will accept data sent from any server.
tcpdump confirms the source IP and destination port:
14:41:30.773817 xxxxx > xxxxx, ethertype IPv4 (0x0800), length 198: 10.1.168.158.32774 > 10.5.130.206.7901: UDP
I just added the following input on my indexer via inputs.conf:
[udp://10.1.40.16:1514] source = downvote sourcetype = downvote
Then I generated 3000 events. Prior to that I had the input set up like this:
[udp://1514] source = downvote sourcetype = downvote
My event count is now sitting at 4000 on the 4.2 indexer where I sent the events.
Change the sourcetype and/or source so you can tell which stanza is providing the data you're seeing. Also, add another stanza with a different remote IP (and souretype/source). The remote IP specific entries will go dormant.