Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can you help me figure out how to use UDP to transmit data from one heavy forwarder to another heavy forwarder?

xfaith
New Member
‎02-08-2019 09:57 AM

I'm trying to set up a test environment to be used in production. Will be taking data from another Splunk heavy forwarder (HF) and sending it to our HF.

Must use UDP to transmit the data.

I have played around with creating the output.conf/input.conf, props.conf, and transforms. But it keeps looking like it's indexing in the first HF, and not getting to the second HF.

I have tested with Netcat that UDP is sent to the other machine (UDP) watching with tcpdump.

Was using UDP:1514 for testing purposes.

If anyone can assist. I can try and add the .conf files, but I think they are all messed up now, that not sure if it would be helpful to post them.

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎02-08-2019 11:40 AM

Have you seen this exact example: https://docs.splunk.com/Documentation/Splunk/7.2.3/Admin/Outputsconf#Syslog_output----

This should do it (in outputs.conf 😞

[syslog]
defaultGroup = mySyslogServer

[syslog:mySyslogServer]
server = [<ip>|<servername>]:<port>
type = udp
0 Karma
Reply

woodcock
Esteemed Legend
‎02-08-2019 11:29 AM

I highly advise against sending UDP directly to Splunk using UDP listener. Instead, setup syslog-ng as described here:
http://www.georgestarcher.com/splunk-success-with-syslog/

0 Karma
Reply

xfaith
New Member
‎02-08-2019 01:09 PM

one way connection so use UDP. I can see data coming from the HF1 to HF2 using tcpdump watching port 514. But its not being indexed. Below are my conf files. Probably something wrong in the

HF1#
outputs.conf
[syslog:syslog-output1]
server: X.X.X.6:514
type: udp

Prop.conf
[host::local*]
TRANSFORMS-syslog = send_to_syslog

Transforms
[send_to_syslog]
dest_key = _SYSLOG_ROUTING
FORMAT = syslog_out1

INPUTS (HF#2)
[udp://514]
_rcvbuf = 16777216
queueSize = 2048mb
persistantQueueSize = 4096mb

0 Karma
Reply
Get Updates on the Splunk Community!

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...