Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Error while adding more than 1 Cisco device

jfk87
New Member
‎04-05-2021 04:41 AM

Dear Experts, 

I am trying to add the data to monitor Cisco logs through Splunk, i am just able to add 1 device only, it is giving error when i am adding more devices.

Snapshot of the error is shown below.

Any help regarding this will be appreciated.

jfk87_0-1617622559625.png

 

Labels (1)
Labels
0 Karma
Reply

jfk87
New Member
‎04-13-2021 01:27 AM

Will be thankful if there is any help regarding this

 

0 Karma
Reply

brentw
Splunk Employee
Splunk Employee
‎04-05-2021 06:35 AM

Hello there. Consider using  Splunk Connect for Syslog. It is a tool that will allow very easy implementation of datasources like Cisco through syslog-ng. It will ultimately write to HTTP Event Collector in Splunk.

See this link for additional information. I hope this helps because I have been having great success with this tool!

Reply

jfk87
New Member
‎04-06-2021 12:06 AM

Thanks, have to check it.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-05-2021 05:46 AM

It would help if you explained the steps to reproduce this problem, but I suspect you are doing at least two things wrong:

1) Trying to send syslog events directly to Splunk.  This has been discouraged for a few years because it can lead to data loss.  Best Practice is to send syslog events to a dedicated syslog server and forward them from there to Splunk.

2) Assuming there is a one-to-one relationship between a UDP port and a network device.  This is not the case.  Once Splunk is listening to a port, it will accept data from thousands of devices, provided they match the "Only accept connection from" setting.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jfk87
New Member
‎04-05-2021 11:59 PM

It can be reproduce by doing the following, 

Add Data > Monitor > TCP/UDP > then mention the port udp/514 and add any IP address in Only accept connection from field.

It is just accepting one device, and when i am trying to add another device, it is showing an error, as was mentioned in the snap in my last post.

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-13-2021 05:30 AM

Did you read point #2 in my answer?  It doesn't make sense to add the same port multiple times.  Once Splunk is listening to a port there is no need to tell it to do so again.

Please describe the problem you are trying to solve.  What is it that adding another port 514 input will do for you?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...