Getting Data In

How to listen on UDP but Splunk 4.1.7 is not listening?

tpaulsen
Contributor

Hi,

i have setup before UDP as input for Splunk 4.1.7. But this time my configuration doesn´t work and i have no clue why?

Here the inputs.conf

[default]
host = blade240

[udp://5420]
connection_host = dns
index = idx_puc_lb
sourcetype = puc-loadbalancer
disabled = 0

What am i doing wrong? I use Splunk 4.1.7.

The Forwarder was a LWF but i enabled the Forwarder mode as well did i add a default-mode.conf file with the following stanza:

[pipeline:udp]
disabled = false

When i ask the Forwarder it tells me, that it is listening:

splunk@blade240:/opt/splunk/LWF/splunk/bin# ./splunk list udp
Listening for input on the following UDP ports: 5420

But when i look with netstat -a | grep 5420 there is no port.

splunk@blade240:/opt/splunk/LWF/splunk/bin# netstat -a | grep 5420
splunk@blade240:/opt/splunk/LWF/splunk/bin#
Tags (3)
0 Karma
1 Solution

tpaulsen
Contributor

Ah ok...now it is working...!

View solution in original post

0 Karma

asingla
Communicator

Hi tpaulsen,

I am struggling with similar issue. Can you please tell what what was the reason for this?

Here is my post http://splunk-base.splunk.com/answers/32140/not-able-to-forward-udp-messages-from-universal-fowarder...

0 Karma

tpaulsen
Contributor

The problem in my case was, that the forwarder was configured as a Lightweight Forwarder, which has by default the port inputs deactivated. I switched the Forwarder into heavy Forwarder mode and everything worked then.

Unfortunately that happens on Splunk 4.1.7, so i don´t know if this applies to Universal Forwarder.

0 Karma

tpaulsen
Contributor

Ah ok...now it is working...!

0 Karma

tpaulsen
Contributor

The problem in my case was, that the forwarder was configured as a Lightweight Forwarder, which has by default the port inputs deactivated. I switched the Forwarder into heavy Forwarder mode and everything worked then.

Unfortunately that happens on Splunk 4.1.7, so i don´t know if this applies to Universal Forwarder.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi what was the problem, maybe this could help someone having the same issue

0 Karma

tpaulsen
Contributor

Ah ok...thank you...that worked. Now i can see the port:

splunk@blade240:/opt/splunk/LWF/splunk/bin# netstat -an | grep 5420
udp 0 0 0.0.0.0:5420 0.0.0.0:*

But still no data in Splunk. Guess we have to puzzle a bit more.

0 Karma

MuS
SplunkTrust
SplunkTrust

hi tpaulsen, I used your inputs.conf and it is working. anything in splunkd.log? what is 'netstat -an' stating?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...