Getting Data In

Can splunk read data from unix stream socket?

gots
Path Finder

Is it possible to get data in splunk from unix stream socket?
Not tcp\udp socket, but socket like this - https://en.wikipedia.org/wiki/Berkeley_sockets

For example syslog-ng have this feature.

Tags (1)
0 Karma
1 Solution

brolo
Explorer

Why not use syslog-ng as a go between?
See this link: httpss://www.splunk.com/blog/2016/03/11/using-syslog-ng-with-splunk.html

View solution in original post

woodcock
Esteemed Legend

Splunk needs more tuning, upgrades and restarts than does syslog-ng so if you go directly to Splunk, without a buffer capability on the sending side, you will have far more data loss. You can update yslog-ng configurations with SIGHUP without a restart or data outage. You cannot do that with Splunk. Use syslog-ng.

0 Karma

woodcock
Esteemed Legend
0 Karma

felipesewaybric
Contributor
0 Karma

brolo
Explorer

Why not use syslog-ng as a go between?
See this link: httpss://www.splunk.com/blog/2016/03/11/using-syslog-ng-with-splunk.html

vidhyaArumalla
Path Finder

I agree with @brolo

0 Karma

gots
Path Finder

I already done it with syslog-ng, but it seems that will be better do not create additional entities for simple task.

Python script also can help, but it is not ideal solution.

I had little hope that something miss in documentation.

Thank you all.

0 Karma

sjodle
Path Finder

I also agree. Alternatively, you could write a Bash or Python scripted input that reads the socket to stdout.

0 Karma
Get Updates on the Splunk Community!

Edge Processor | New Resiliency Improvements & Support for Additional Data Sources

We are excited to announce several exciting updates for Edge Processor aimed at hardening overall product ...

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...