Hi,
i have setup before UDP as input for Splunk 4.1.7. But this time my configuration doesn´t work and i have no clue why?
Here the inputs.conf
[default]
host = blade240
[udp://5420]
connection_host = dns
index = idx_puc_lb
sourcetype = puc-loadbalancer
disabled = 0
What am i doing wrong? I use Splunk 4.1.7.
The Forwarder was a LWF but i enabled the Forwarder mode as well did i add a default-mode.conf file with the following stanza:
[pipeline:udp]
disabled = false
When i ask the Forwarder it tells me, that it is listening:
splunk@blade240:/opt/splunk/LWF/splunk/bin# ./splunk list udp
Listening for input on the following UDP ports: 5420
But when i look with netstat -a | grep 5420
there is no port.
splunk@blade240:/opt/splunk/LWF/splunk/bin# netstat -a | grep 5420
splunk@blade240:/opt/splunk/LWF/splunk/bin#
Hi tpaulsen,
I am struggling with similar issue. Can you please tell what what was the reason for this?
Here is my post http://splunk-base.splunk.com/answers/32140/not-able-to-forward-udp-messages-from-universal-fowarder...
The problem in my case was, that the forwarder was configured as a Lightweight Forwarder, which has by default the port inputs deactivated. I switched the Forwarder into heavy Forwarder mode and everything worked then.
Unfortunately that happens on Splunk 4.1.7, so i don´t know if this applies to Universal Forwarder.
Ah ok...now it is working...!
The problem in my case was, that the forwarder was configured as a Lightweight Forwarder, which has by default the port inputs deactivated. I switched the Forwarder into heavy Forwarder mode and everything worked then.
Unfortunately that happens on Splunk 4.1.7, so i don´t know if this applies to Universal Forwarder.
Hi what was the problem, maybe this could help someone having the same issue
Ah ok...thank you...that worked. Now i can see the port:
splunk@blade240:/opt/splunk/LWF/splunk/bin# netstat -an | grep 5420
udp 0 0 0.0.0.0:5420 0.0.0.0:*
But still no data in Splunk. Guess we have to puzzle a bit more.
hi tpaulsen, I used your inputs.conf and it is working. anything in splunkd.log? what is 'netstat -an' stating?