Getting Data In

Can you help me figure out how to use UDP to transmit data from one heavy forwarder to another heavy forwarder?

New Member

I'm trying to set up a test environment to be used in production. Will be taking data from another Splunk heavy forwarder (HF) and sending it to our HF.

Must use UDP to transmit the data.

I have played around with creating the output.conf/input.conf, props.conf, and transforms. But it keeps looking like it's indexing in the first HF, and not getting to the second HF.

I have tested with Netcat that UDP is sent to the other machine (UDP) watching with tcpdump.

Was using UDP:1514 for testing purposes.

If anyone can assist. I can try and add the .conf files, but I think they are all messed up now, that not sure if it would be helpful to post them.

0 Karma


Have you seen this exact example:

This should do it (in outputs.conf 😞

defaultGroup = mySyslogServer

server = [<ip>|<servername>]:<port>
type = udp
0 Karma

Esteemed Legend

I highly advise against sending UDP directly to Splunk using UDP listener. Instead, setup syslog-ng as described here:

0 Karma

New Member

one way connection so use UDP. I can see data coming from the HF1 to HF2 using tcpdump watching port 514. But its not being indexed. Below are my conf files. Probably something wrong in the

server: X.X.X.6:514
type: udp

TRANSFORMS-syslog = send_to_syslog

dest_key = _SYSLOG_ROUTING
FORMAT = syslog_out1

_rcvbuf = 16777216
queueSize = 2048mb
persistantQueueSize = 4096mb

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...