Getting Data In

How to listen on UDP but Splunk 4.1.7 is not listening?

Contributor

Hi,

i have setup before UDP as input for Splunk 4.1.7. But this time my configuration doesn´t work and i have no clue why?

Here the inputs.conf

[default]
host = blade240

[udp://5420]
connection_host = dns
index = idx_puc_lb
sourcetype = puc-loadbalancer
disabled = 0

What am i doing wrong? I use Splunk 4.1.7.

The Forwarder was a LWF but i enabled the Forwarder mode as well did i add a default-mode.conf file with the following stanza:

[pipeline:udp]
disabled = false

When i ask the Forwarder it tells me, that it is listening:

splunk@blade240:/opt/splunk/LWF/splunk/bin# ./splunk list udp
Listening for input on the following UDP ports: 5420

But when i look with netstat -a | grep 5420 there is no port.

splunk@blade240:/opt/splunk/LWF/splunk/bin# netstat -a | grep 5420
splunk@blade240:/opt/splunk/LWF/splunk/bin#
Tags (3)
0 Karma
1 Solution

Contributor

Ah ok...now it is working...!

View solution in original post

0 Karma

Communicator

Hi tpaulsen,

I am struggling with similar issue. Can you please tell what what was the reason for this?

Here is my post http://splunk-base.splunk.com/answers/32140/not-able-to-forward-udp-messages-from-universal-fowarder...

0 Karma

Contributor

The problem in my case was, that the forwarder was configured as a Lightweight Forwarder, which has by default the port inputs deactivated. I switched the Forwarder into heavy Forwarder mode and everything worked then.

Unfortunately that happens on Splunk 4.1.7, so i don´t know if this applies to Universal Forwarder.

0 Karma

Contributor

Ah ok...now it is working...!

View solution in original post

0 Karma

Contributor

The problem in my case was, that the forwarder was configured as a Lightweight Forwarder, which has by default the port inputs deactivated. I switched the Forwarder into heavy Forwarder mode and everything worked then.

Unfortunately that happens on Splunk 4.1.7, so i don´t know if this applies to Universal Forwarder.

0 Karma

SplunkTrust
SplunkTrust

Hi what was the problem, maybe this could help someone having the same issue

0 Karma

Contributor

Ah ok...thank you...that worked. Now i can see the port:

splunk@blade240:/opt/splunk/LWF/splunk/bin# netstat -an | grep 5420
udp 0 0 0.0.0.0:5420 0.0.0.0:*

But still no data in Splunk. Guess we have to puzzle a bit more.

0 Karma

SplunkTrust
SplunkTrust

hi tpaulsen, I used your inputs.conf and it is working. anything in splunkd.log? what is 'netstat -an' stating?

0 Karma