I have configured two network devices (cisco router and fortigate firewall) to send logs to Splunk server via udp port 514 .I can successfully see all the raw logs but particular apps wont show any data because the sourcetype doesnt match.I cant define different sourcetypes to same udp port in "data inputs".How can I overcome this issue ?
You can use the following in your inputs.conf
[udp://123.456.789:514] index = networking sourcetype = cisco [udp://123.456.890:514] index = networking sourcetype = fortinet
Thank you very much for the solution.Can you please specify which inputs.conf file I should edited.I saw there several inputs.conf files in several folders.
When you configure the inputs from the website, the inputs.conf file will be in the app folder that you were in before you when in to the inputs section. For example if you were in the Search & Reporting app, current location for your inputs.conf would be in
If you are not sure where to store your file with these stanzas, you can use
Up to the config, you cannot define more than one input for the same port:
* Similar to TCP, except that it listens on a UDP port.
* Only one stanza per port number is currently supported.
However, did it work for any of you??
you are adding an ip address to limit the input selection. if you added
[udp://514] to the inputs.conf file, you are saying any ip address on UDP port 514. This is really more like
[udp://*:514] . When you add the ip address in to the stanza, you are narrowing down the parameters. So
[udp://123.456.789:514] is saying from this ip on this port, do the following the in the stanza.
Why when I restrict host I don't receive anything?There is some specific configuration?
My firewall and my switch are allow to send logs.
you can edit in local directory of app name folder
or you can directly modify from splunk web