Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to troubleshoot why Splunk isn't reading and indexing incoming syslog messages?

ozirus
Path Finder
‎06-29-2016 06:29 AM

Hi,

I'm trying to read and index messages that come from a Juniper Pulse device using syslog protocol. I used the "Data Input" menu and add 10520/UDP as input port and bind it to a new index.

When I listen to port using tcpdump, I can see the messages from console, however, Splunk can't see and index the incoming data. I tried different sourcetypes like syslog, __singleline etc...

When I run netstat -tunalp | grep 10520, I could see that Splunk is listening on udp port 10520.

How can I debug this situation? What's your advice?

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎06-30-2016 04:42 AM

have you tried to use TCP input instead?

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply

ozirus
Path Finder
‎06-30-2016 05:10 AM

It also doesn't work

0 Karma
Reply

masonmorales
Influencer
‎06-29-2016 07:31 AM

Does the data show up in the index if you search All Time?

0 Karma
Reply

ozirus
Path Finder
‎06-30-2016 04:24 AM

No. There is no data in any way.

0 Karma
Reply

jtrucks
Splunk Employee
Splunk Employee
‎06-29-2016 07:14 AM

Start with http://docs.splunk.com/Documentation/Splunk/6.4.1/Troubleshooting/Cantfinddata and https://answers.splunk.com/answers/221885/how-to-troubleshoot-why-i-can-see-network-traffic.html just in case something there helps.

I would try a combination of the splunkd logs and using strace on the Splunk process. Also, enable debug and sifting through the results may be useful.

--
Jesse Trucks
Minister of Magic
0 Karma
Reply

craigv_splunk
Splunk Employee
Splunk Employee
‎06-29-2016 06:49 AM

My recommendation is to take a sample of the data and put it into a file on your local machine. Then go to add data in the Splunk GUI and upload from your local machine. You will then be brought to a screen where it tries to determine a sourcetype. You can play around with different sourcetype settings. When you try one like syslog for example make sure that linebreaking is happening as you'd expect and the a timestamp is extracted from the data.

The other thing to check would be to look at the splunkd.log in index=_internal to check for errors. That could give you a more specific idea of what might be wrong.

0 Karma
Reply

ozirus
Path Finder
‎06-30-2016 04:24 AM

How can I achive this data-import for syslog? tcpdump gives messy ASCII data when I listen syslog port. Any suggestion?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...