Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Adding a custom "handler" to TCP/UDP input

Damien_Dallimor
Ultra Champion
‎06-06-2011 08:39 PM

Does such a facility exist within SPLUNK by which you can add a custom "handler" to a TCP or UDP socket input ?

Such a scenario might be where you want to send data to SPLUNK via TCP, and this data might be a proprietary layer 4 network protocol that requires a custom handler to first decode the raw protocol bytes into a textual format before passing on to SPLUNK indexing.

I could quite easily write a "scripted input" that listens on a socket and outputs decoded bytes to STDOUT, but it would be nice if I could just write a custom "handler" that chains onto a standard TCP input.

Regards,

Damien D.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎06-07-2011 10:19 AM

Just write a scripted input, especially if you are confident that you can do it. What is the difference between that and a custom handler?

In general, your handler will provide the bottleneck, so the underlying TCP and UDP sockets don't really buy you anything.

If you just must use Splunk's sockets, have your scripted input listen on one port, do your decoding, and send the plain-text stream to a Splunk socket listening on another port.

View solution in original post

Reply
Solved! Jump to solution

Damien_Dallimor
Ultra Champion
‎06-07-2011 02:38 PM

Thanks guys..I think I'll go with the scripted input proxying on to a Splunk socket input.

Damien D.

0 Karma
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎06-09-2011 09:15 AM

Hi Damien, don't forget to "accept" an answer by clicking the outlined check-mark to the left of it.

0 Karma
Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎06-07-2011 10:19 AM

Just write a scripted input, especially if you are confident that you can do it. What is the difference between that and a custom handler?

In general, your handler will provide the bottleneck, so the underlying TCP and UDP sockets don't really buy you anything.

If you just must use Splunk's sockets, have your scripted input listen on one port, do your decoding, and send the plain-text stream to a Splunk socket listening on another port.

Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎06-07-2011 07:41 AM

Such a facility does not exist at this time. At least, not that is accessible to us customers. Splunk may have such a technique they use internally - but I don't think they expose any kind of API for us to get at it.

If this is something you want Splunk to consider you should submit an ER for it.

http://splunk-base.splunk.com/answers/4844/how-can-i-submit-an-enhancement-request

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...