Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to troubleshoot why Splunk isn't reading and indexing incoming syslog messages?

ozirus
Path Finder
‎06-29-2016 06:29 AM

Hi,

I'm trying to read and index messages that come from a Juniper Pulse device using syslog protocol. I used the "Data Input" menu and add 10520/UDP as input port and bind it to a new index.

When I listen to port using tcpdump, I can see the messages from console, however, Splunk can't see and index the incoming data. I tried different sourcetypes like syslog, __singleline etc...

When I run netstat -tunalp | grep 10520, I could see that Splunk is listening on udp port 10520.

How can I debug this situation? What's your advice?

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎06-30-2016 04:42 AM

have you tried to use TCP input instead?

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply

ozirus
Path Finder
‎06-30-2016 05:10 AM

It also doesn't work

0 Karma
Reply

masonmorales
Influencer
‎06-29-2016 07:31 AM

Does the data show up in the index if you search All Time?

0 Karma
Reply

ozirus
Path Finder
‎06-30-2016 04:24 AM

No. There is no data in any way.

0 Karma
Reply

jtrucks
Splunk Employee
Splunk Employee
‎06-29-2016 07:14 AM

Start with http://docs.splunk.com/Documentation/Splunk/6.4.1/Troubleshooting/Cantfinddata and https://answers.splunk.com/answers/221885/how-to-troubleshoot-why-i-can-see-network-traffic.html just in case something there helps.

I would try a combination of the splunkd logs and using strace on the Splunk process. Also, enable debug and sifting through the results may be useful.

--
Jesse Trucks
Minister of Magic
0 Karma
Reply

craigv_splunk
Splunk Employee
Splunk Employee
‎06-29-2016 06:49 AM

My recommendation is to take a sample of the data and put it into a file on your local machine. Then go to add data in the Splunk GUI and upload from your local machine. You will then be brought to a screen where it tries to determine a sourcetype. You can play around with different sourcetype settings. When you try one like syslog for example make sure that linebreaking is happening as you'd expect and the a timestamp is extracted from the data.

The other thing to check would be to look at the splunkd.log in index=_internal to check for errors. That could give you a more specific idea of what might be wrong.

0 Karma
Reply

ozirus
Path Finder
‎06-30-2016 04:24 AM

How can I achive this data-import for syslog? tcpdump gives messy ASCII data when I listen syslog port. Any suggestion?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...