Is it possible to get data in splunk from unix stream socket?
Not tcp\udp socket, but socket like this - https://en.wikipedia.org/wiki/Berkeley_sockets
For example syslog-ng have this feature.
Why not use syslog-ng as a go between?
See this link: httpss://www.splunk.com/blog/2016/03/11/using-syslog-ng-with-splunk.html
Splunk needs more tuning, upgrades and restarts than does syslog-ng so if you go directly to Splunk, without a buffer capability on the sending side, you will have far more data loss. You can update yslog-ng configurations with SIGHUP without a restart or data outage. You cannot do that with Splunk. Use syslog-ng.
I concur with the consensus; see these excellent 2 posts:
http://www.georgestarcher.com/splunk-success-with-syslog/
https://gitlab.com/rationalcyber/syslog-ng-configuration/wikis/home
try with syslog, check the https://docs.splunk.com/Documentation/StreamApp/7.1.2/DeployStreamApp/ProtocolDetection
Why not use syslog-ng as a go between?
See this link: httpss://www.splunk.com/blog/2016/03/11/using-syslog-ng-with-splunk.html
I agree with @brolo
I already done it with syslog-ng, but it seems that will be better do not create additional entities for simple task.
Python script also can help, but it is not ideal solution.
I had little hope that something miss in documentation.
Thank you all.
I also agree. Alternatively, you could write a Bash or Python scripted input that reads the socket to stdout.