Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Can splunk read data from unix stream socket?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to get data in splunk from unix stream socket?
Not tcp\udp socket, but socket like this - https://en.wikipedia.org/wiki/Berkeley_sockets
For example syslog-ng have this feature.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why not use syslog-ng as a go between?
See this link: httpss://www.splunk.com/blog/2016/03/11/using-syslog-ng-with-splunk.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk needs more tuning, upgrades and restarts than does syslog-ng so if you go directly to Splunk, without a buffer capability on the sending side, you will have far more data loss. You can update yslog-ng configurations with SIGHUP without a restart or data outage. You cannot do that with Splunk. Use syslog-ng.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I concur with the consensus; see these excellent 2 posts:
http://www.georgestarcher.com/splunk-success-with-syslog/
https://gitlab.com/rationalcyber/syslog-ng-configuration/wikis/home
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try with syslog, check the https://docs.splunk.com/Documentation/StreamApp/7.1.2/DeployStreamApp/ProtocolDetection
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why not use syslog-ng as a go between?
See this link: httpss://www.splunk.com/blog/2016/03/11/using-syslog-ng-with-splunk.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree with @brolo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I already done it with syslog-ng, but it seems that will be better do not create additional entities for simple task.
Python script also can help, but it is not ideal solution.
I had little hope that something miss in documentation.
Thank you all.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also agree. Alternatively, you could write a Bash or Python scripted input that reads the socket to stdout.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
