Getting Data In

How to configure a forwarder to listen on tcp/udp for syslog for Splunk Light cloud service?

New Member

Hey,

I'm new to Splunk, so I may be missing something... However, I can't seem to configure a forwarder to listen on a network port (tcp/udp for syslog).

So far I have:
- Installed the forwarder which shows up in the Splunk Light dloud portal
- I have set the forwarder to monitor local event logs and the data is flowing into Splunk ok
- When I go to Add data, select the forwarder, select the server class, I can't click on the option for "Configure Splunk to listen on a network port." It also seems to be missing it's blue heading in that box. I can click on the other four options, but not that one.

Any ideas? Am I missing something?

Thanks...Scott

0 Karma

Splunk Employee
Splunk Employee

Looks like there is a bug introduced in the recent version that is preventing UI from working.
As a work around you can go to the machine where forwarder is running, and manually create (if none exists) inputs.conf file in /etc/system/local folder and update/add TCP input there and restart the forwarder (/bin/splunk restart).

Example stanza for receiving syslog via TCP input (update for your port and source type as appropriate):

[tcp://33333]
sourcetype=syslog
disabled=false

Splunk Employee
Splunk Employee

could you post a screen-shot?
if you have a server class defined that contains the forwarder(s) you're trying to enable the tcp/udp input on then there shouldn't be a problem.
thnx

0 Karma

New Member

Sure...here you go.
Screen Cap

0 Karma

Splunk Employee
Splunk Employee

ok, thnx. i'm looking into it/trying to re-produce the issue.

0 Karma

Splunk Employee
Splunk Employee

for now, the "Use the CLI" section of this doc may help: http://docs.splunk.com/Documentation/Splunk/6.4.0/Data/Configureyourinputs#Use_the_CLI

0 Karma