I just updated to 6.4.0 from 6.3.1. Data is being received on UDP:514 from my firewalls. This data was indexed as syslog, but is now going into main. I have the \etc\apps\search\local\inputs.conf configured with:
[udp://514] connection_host = ip index = syslog sourcetype = syslog
Is there any other location that I need to configure to get this data into the syslog index?
Can you verify that there isn't another udp://514 input configured that could have higher precedence? Use
splunk cmd btool inputs list --debug from CLI to check.
Using the btool, there are no other inputs.conf that contain the udp://514 stanza. I also verified that outputs, props and transforms do not have it.
On the chance that I missed something, I did the btool on udp:514 (instead of upd://514), I found a TA that had that in the inputs.conf, added index=syslog. My data is now being indexed as syslog.
Thanks for the pointer!!