Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

After upgrade to Splunk 6.4.0 from 6.3.1, why is UDP:514 data being indexed in main and not the syslog index?

srunyon
New Member
‎05-17-2016 10:08 AM

I just updated to 6.4.0 from 6.3.1. Data is being received on UDP:514 from my firewalls. This data was indexed as syslog, but is now going into main. I have the \etc\apps\search\local\inputs.conf configured with:

[udp://514]
connection_host = ip
index = syslog
sourcetype = syslog

Is there any other location that I need to configure to get this data into the syslog index?

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

masonmorales
Influencer
‎05-17-2016 01:04 PM

Can you verify that there isn't another udp://514 input configured that could have higher precedence? Use splunk cmd btool inputs list --debug from CLI to check.

View solution in original post

Reply
Solved! Jump to solution
Solution

masonmorales
Influencer
‎05-17-2016 01:04 PM

Can you verify that there isn't another udp://514 input configured that could have higher precedence? Use splunk cmd btool inputs list --debug from CLI to check.

Reply
Solved! Jump to solution

srunyon
New Member
‎05-18-2016 06:29 AM

On the chance that I missed something, I did the btool on udp:514 (instead of upd://514), I found a TA that had that in the inputs.conf, added index=syslog. My data is now being indexed as syslog.

Thanks for the pointer!!

0 Karma
Reply
Solved! Jump to solution

masonmorales
Influencer
‎05-18-2016 09:10 AM

Glad to hear it!

0 Karma
Reply
Solved! Jump to solution

srunyon
New Member
‎05-18-2016 04:58 AM

Using the btool, there are no other inputs.conf that contain the udp://514 stanza. I also verified that outputs, props and transforms do not have it.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...