Getting Data In

Adding a custom "handler" to TCP/UDP input

Damien_Dallimor
Ultra Champion

Does such a facility exist within SPLUNK by which you can add a custom "handler" to a TCP or UDP socket input ?

Such a scenario might be where you want to send data to SPLUNK via TCP, and this data might be a proprietary layer 4 network protocol that requires a custom handler to first decode the raw protocol bytes into a textual format before passing on to SPLUNK indexing.

I could quite easily write a "scripted input" that listens on a socket and outputs decoded bytes to STDOUT, but it would be nice if I could just write a custom "handler" that chains onto a standard TCP input.

Regards,

Damien D.

Tags (2)
1 Solution

araitz
Splunk Employee
Splunk Employee

Just write a scripted input, especially if you are confident that you can do it. What is the difference between that and a custom handler?

In general, your handler will provide the bottleneck, so the underlying TCP and UDP sockets don't really buy you anything.

If you just must use Splunk's sockets, have your scripted input listen on one port, do your decoding, and send the plain-text stream to a Splunk socket listening on another port.

View solution in original post

Damien_Dallimor
Ultra Champion

Thanks guys..I think I'll go with the scripted input proxying on to a Splunk socket input.

Damien D.

0 Karma

dwaddle
SplunkTrust
SplunkTrust

Hi Damien, don't forget to "accept" an answer by clicking the outlined check-mark to the left of it.

0 Karma

araitz
Splunk Employee
Splunk Employee

Just write a scripted input, especially if you are confident that you can do it. What is the difference between that and a custom handler?

In general, your handler will provide the bottleneck, so the underlying TCP and UDP sockets don't really buy you anything.

If you just must use Splunk's sockets, have your scripted input listen on one port, do your decoding, and send the plain-text stream to a Splunk socket listening on another port.

dwaddle
SplunkTrust
SplunkTrust

Such a facility does not exist at this time. At least, not that is accessible to us customers. Splunk may have such a technique they use internally - but I don't think they expose any kind of API for us to get at it.

If this is something you want Splunk to consider you should submit an ER for it.

http://splunk-base.splunk.com/answers/4844/how-can-i-submit-an-enhancement-request

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...