- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to configure different sourcetypes for udp por...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have configured two network devices (cisco router and fortigate firewall) to send logs to Splunk server via udp port 514 .I can successfully see all the raw logs but particular apps wont show any data because the sourcetype doesnt match.I cant define different sourcetypes to same udp port in "data inputs".How can I overcome this issue ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use the following in your inputs.conf
[udp://123.456.789:514]
index = networking
sourcetype = cisco
[udp://123.456.890:514]
index = networking
sourcetype = fortinet
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi..
Edit the inputs.conf file in $SPLUNK_HOME/etc/apps/app-name/local/inputs.conf or $SPLUNK_HOME/etc/system/local/inputs.conf or $SPLUNK_HOME/etc/apps/search/local/inputs.conf
Note : no need to edit and enter the below configuration in all the input file. any one of the file is fine
[udp://ipaddressofthedevice:514]
index = linux
sourcetype = linuxevents
[udp://ipaddressofthdevice:514]
index = linux
sourcetype = syslog
Ex :
[udp://10.1.1.10:514]
index = linux
sourcetype = linuxevents
[udp://192.168.1.9:514]
index = linux
sourcetype = syslog
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This exactly as stated here, totally worked for us (Splunk 9)
Create the inputs.con file, add stanza as indicated here, no more no less and save the file. In Config Explorer do a debug/refresh and you will see these special inputs appear in the GUI as "[IP]:[PORT]" and data will trickle in to the specified index(es) using the specified sourcetype.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @aeshan
Did Anthony Reinke's or @kml_uvce's answers below solve your question? If yes, please accept the one that did to resolve this post by clicking "Accept" right below the appropriate answer. Thanks!
Patrick
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can edit in local directory of app name folder
$SPLUNK_HOME/etc/apps/app-name/local/inputs.conf
or you can directly modify from splunk web
http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Enableareceiver
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
whats your splunk topology and source paths?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use the following in your inputs.conf
[udp://123.456.789:514]
index = networking
sourcetype = cisco
[udp://123.456.890:514]
index = networking
sourcetype = fortinet
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Up to the config, you cannot define more than one input for the same port:
[udp://
* Similar to TCP, except that it listens on a UDP port.
* Only one stanza per port number is currently supported.
However, did it work for any of you??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why when I restrict host I don't receive anything?There is some specific configuration?
My firewall and my switch are allow to send logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
are you seeing the packets with tcpdump/wireshark on the Splunk server?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you are adding an ip address to limit the input selection. if you added [udp://514] to the inputs.conf file, you are saying any ip address on UDP port 514. This is really more like [udp://*:514] . When you add the ip address in to the stanza, you are narrowing down the parameters. So [udp://123.456.789:514] is saying from this ip on this port, do the following the in the stanza.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much for the solution.Can you please specify which inputs.conf file I should edited.I saw there several inputs.conf files in several folders.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you configure the inputs from the website, the inputs.conf file will be in the app folder that you were in before you when in to the inputs section. For example if you were in the Search & Reporting app, current location for your inputs.conf would be in
$SPLUNK_HOME/etc/apps/search/local/inputs.conf
If you are not sure where to store your file with these stanzas, you can use
$SPLUNK_HOME/etc/system/local/inputs.conf
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
