Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Getting UDP data

nikhil
Explorer
‎05-15-2021 07:43 AM

Hi,

This is default standalone setup. I'm trying to get data in from a network device which sends data as syslog on UDP/5114.

I've configured the UDP/5114 on Splunk. Here are the screenshots of config.udp_data_inputudp_data_input

udp_data_input_detailsudp_data_input_details

I've confirmed that splunk process is listening on port 5114

 

udp_listenerudp_listener

I've also confirmed that I'm getting data on host so no network routing or firewall issue. Bellow is a screenshot of MS Network monitor showing data received on port UDP/5114.

data_on_5114data_on_5114

Yet no data is coming in the splunk instance.no_events_in_splunkno_events_in_splunk

 

Pls help resolve this.

 

--

Thanks & Regards.

Labels (2)
Labels
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-18-2021 02:27 AM

I'm not sure about MS Network Monitor (now deprecated btw) - never used it - but Wireshark, for example, just dumps packets from the network interface. Which doesn't mean that they don't get filtered on a host firewall afterwards.

Since you're using UDP which is stateless, connectionless and so on, unless you're actively denying the packets (sending ICMPs), there will be nothing on the network informing you whether the recipient received the packets correctly or not.

So I'd search the firewall rules again.

And two more remarks:

1) If possible, use TCP - it's much more reliable and less prone to event loss

2) Splunk's syslog inputs don't scale well so if you're planning on having big volumes of data ingested this way, consider other forms of providing the source data to Splunk - there are a few methods that can be used (for example - a syslog server writing to buffer file and UF reading that file or a syslog server receiving the events and pushing them to HEC input via HTTP).

But to have something to begin with Splunk's syslog inputs are OK.

Reply

nikhil
Explorer
‎05-18-2021 01:24 AM

Hello Everyone,

Can anyone pls help on this.?

 

--

Thanks & Regards

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-15-2021 08:24 AM

Have you considered using Splunk Connect for Syslog (SC4S)?

0 Karma
Reply

nikhil
Explorer
‎05-15-2021 10:51 PM

Hi,

Will SC4S(Splunk Connector for Syslog) be supported on my setup.? Do I need separate linux instance for the same.? 

My Splunk Setup:

Splunk Enterprise Server 8.1.3

Windows, 8 GB Physical Memory, 2 CPU Cores

Mode: Standalone

 

--

Thanks & Regards

Tags (2)
0 Karma
Reply

nikhil
Explorer
‎05-15-2021 08:31 AM

Considering now. Any comment on the mentioned config.? Is there anything I'm missing in config.? Or any other troubleshooting pointers.?

 

--

Thanks & Regards.

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...