Getting Data In
Highlighted

After upgrade to Splunk 6.4.0 from 6.3.1, why is UDP:514 data being indexed in main and not the syslog index?

New Member

I just updated to 6.4.0 from 6.3.1. Data is being received on UDP:514 from my firewalls. This data was indexed as syslog, but is now going into main. I have the \etc\apps\search\local\inputs.conf configured with:

[udp://514]
connection_host = ip
index = syslog
sourcetype = syslog

Is there any other location that I need to configure to get this data into the syslog index?

Thanks.

0 Karma
Highlighted

Re: After upgrade to Splunk 6.4.0 from 6.3.1, why is UDP:514 data being indexed in main and not the syslog index?

Influencer

Can you verify that there isn't another udp://514 input configured that could have higher precedence? Use splunk cmd btool inputs list --debug from CLI to check.

View solution in original post

Highlighted

Re: After upgrade to Splunk 6.4.0 from 6.3.1, why is UDP:514 data being indexed in main and not the syslog index?

New Member

Using the btool, there are no other inputs.conf that contain the udp://514 stanza. I also verified that outputs, props and transforms do not have it.

0 Karma
Highlighted

Re: After upgrade to Splunk 6.4.0 from 6.3.1, why is UDP:514 data being indexed in main and not the syslog index?

New Member

On the chance that I missed something, I did the btool on udp:514 (instead of upd://514), I found a TA that had that in the inputs.conf, added index=syslog. My data is now being indexed as syslog.

Thanks for the pointer!!

0 Karma
Highlighted

Re: After upgrade to Splunk 6.4.0 from 6.3.1, why is UDP:514 data being indexed in main and not the syslog index?

Influencer

Glad to hear it!

0 Karma