Solved: After upgrade to Splunk 6.4.0 from 6.3.1, why is U...

srunyon · ‎05-17-2016

I just updated to 6.4.0 from 6.3.1. Data is being received on UDP:514 from my firewalls. This data was indexed as syslog, but is now going into main. I have the \etc\apps\search\local\inputs.conf configured with:

[udp://514]
connection_host = ip
index = syslog
sourcetype = syslog

Is there any other location that I need to configure to get this data into the syslog index?

Thanks.

masonmorales · ‎05-17-2016

Can you verify that there isn't another udp://514 input configured that could have higher precedence? Use splunk cmd btool inputs list --debug from CLI to check.

View solution in original post

masonmorales · ‎05-17-2016

Can you verify that there isn't another udp://514 input configured that could have higher precedence? Use splunk cmd btool inputs list --debug from CLI to check.

srunyon · ‎05-18-2016

On the chance that I missed something, I did the btool on udp:514 (instead of upd://514), I found a TA that had that in the inputs.conf, added index=syslog. My data is now being indexed as syslog.

Thanks for the pointer!!

masonmorales · ‎05-18-2016

Glad to hear it!

srunyon · ‎05-18-2016

Using the btool, there are no other inputs.conf that contain the udp://514 stanza. I also verified that outputs, props and transforms do not have it.

After upgrade to Splunk 6.4.0 from 6.3.1, why is UDP:514 data being indexed in main and not the syslog index?

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control

Data Preparation Made Easy: SPL2 for Edge Processor