Getting Data In

Configuring udp with multiple ipaddress


Hi, I would like to configure my inputs.conf with udp on port 514.
Like below:


My query is can I add multiple ipaddress in the remote_server field as I want to receive the data from a particular set of ipaddresses.


Tags (1)
0 Karma

Ultra Champion


No you can't specify multiple IP address in udp stanza in inputs.conf

But you can do below configuration to restrict your UDP port to accept traffic from certain IP addresses.


acceptFrom =,, .....,

From Splunk doc

acceptFrom = <network_acl> ...
* Lists a set of networks or IP addresses from which to accept connections.
* Specify multiple rules with commas or spaces.
* Each rule can be in the following forms:
    1. A single IPv4 or IPv6 address (examples: "", "fe80::4a3")
    2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
    3. A DNS name, possibly with a "*"" used as a wildcard (examples:
       "", "*")
    4. "*", which matches anything.
* You can also prefix an entry with '!' to cause the rule to reject the
  connection. The input applies rules in order, and uses the first one that
  For example, "!10.1/16, *" allows connections from everywhere except
  the 10.1.*.* network.
* Default: "*" (accept from anywhere)


  1. Please keep in mind that if you are running your splunk instance as non-root user then you can't occupy port less than 1024 on Linux servers, only root user can occupy port less than 1024 on Linux.
  2. I'll suggest to use syslog to accept traffic from network, security or any other devices which will send data over syslog. If you will receive syslog traffic directly on splunk then during splunk restart you will lose data however with syslog like rsyslog or syslog-ng it will write data to file on disk and Splunk UF can monitor that log file and due to that you will not lose data.


Hi, I have a range of ipaddresses like,,,,,
So, how can I pass these values to acceptFrom field. Is there a shorter way other than mentioning all the ipaddresses specifically.
Can I just mention as (CIDR block method)..

0 Karma

Ultra Champion

As you have 15 IP addresses which doesn't fix under single CIDR block so you can try something like this, I am not sure whether combination of CIDR and IP address will work or not but you can give it try.

acceptFrom =,

How CIDR calculates IP ranges then try to google Subnet calculation and you will able to figure out what is the meaning of

0 Karma


Thanks for details. I tried the same way.Its working

0 Karma


Hi Harshil, Thanks for the reply. I will check this flow. regards, Santosh

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...