Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Getting UDP data

nikhil
Loves-to-Learn
‎05-15-2021 07:43 AM

Hi,

This is default standalone setup. I'm trying to get data in from a network device which sends data as syslog on UDP/5114.

I've configured the UDP/5114 on Splunk. Here are the screenshots of config.udp_data_inputudp_data_input

udp_data_input_detailsudp_data_input_details

I've confirmed that splunk process is listening on port 5114

 

udp_listenerudp_listener

I've also confirmed that I'm getting data on host so no network routing or firewall issue. Bellow is a screenshot of MS Network monitor showing data received on port UDP/5114.

data_on_5114data_on_5114

Yet no data is coming in the splunk instance.no_events_in_splunkno_events_in_splunk

 

Pls help resolve this.

 

--

Thanks & Regards.

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-18-2021 02:27 AM

I'm not sure about MS Network Monitor (now deprecated btw) - never used it - but Wireshark, for example, just dumps packets from the network interface. Which doesn't mean that they don't get filtered on a host firewall afterwards.

Since you're using UDP which is stateless, connectionless and so on, unless you're actively denying the packets (sending ICMPs), there will be nothing on the network informing you whether the recipient received the packets correctly or not.

So I'd search the firewall rules again.

And two more remarks:

1) If possible, use TCP - it's much more reliable and less prone to event loss

2) Splunk's syslog inputs don't scale well so if you're planning on having big volumes of data ingested this way, consider other forms of providing the source data to Splunk - there are a few methods that can be used (for example - a syslog server writing to buffer file and UF reading that file or a syslog server receiving the events and pushing them to HEC input via HTTP).

But to have something to begin with Splunk's syslog inputs are OK.

0 Karma
Reply

nikhil
Loves-to-Learn
‎05-18-2021 01:24 AM

Hello Everyone,

Can anyone pls help on this.?

 

--

Thanks & Regards

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-15-2021 08:24 AM

Have you considered using Splunk Connect for Syslog (SC4S)?

0 Karma
Reply

nikhil
Loves-to-Learn
‎05-15-2021 10:51 PM

Hi,

Will SC4S(Splunk Connector for Syslog) be supported on my setup.? Do I need separate linux instance for the same.? 

My Splunk Setup:

Splunk Enterprise Server 8.1.3

Windows, 8 GB Physical Memory, 2 CPU Cores

Mode: Standalone

 

--

Thanks & Regards

Tags (2)
0 Karma
Reply

nikhil
Loves-to-Learn
‎05-15-2021 08:31 AM

Considering now. Any comment on the mentioned config.? Is there anything I'm missing in config.? Or any other troubleshooting pointers.?

 

--

Thanks & Regards.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...