Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Parsing logs from UDP input

test_qweqwe
Builder
‎10-31-2017 06:48 PM

I installed addon for my product but the problem is that the addon is intended to collect data from the file, and not from receiving at udp 514 port. How should I reconfigure conf files to make it work?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hardikJsheth
Motivator
‎10-31-2017 10:25 PM

There are multiple options.
1. You can update stanza to listen for UDP traffic on port 514. 

[udp://2514]
sourcetype = Your Sourcetype
index= Define it if it's other than main

  1. Use syslogd/rsyslogd to listen for UDP traffic on port 514 and then put those contents into file which will be read by Splunk. You can keep your inputs.conf configuration as is and configure syslogd to put logs into the same file for which you have input configuration. Sample configuration is as follows:

    $ModLoad imudp
$UDPServerRun 514
### Put logs to file ###
$template rtflow,"$YOURFILELOCATION"
if $msg contains 'RT_FLOW' then -?rtflow
& ~

I would prefer second option as the chance of data loss is reduced in case of Splunk server is restarted.

View solution in original post

Reply
Solved! Jump to solution
Solution

hardikJsheth
Motivator
‎10-31-2017 10:25 PM

There are multiple options.
1. You can update stanza to listen for UDP traffic on port 514. 

[udp://2514]
sourcetype = Your Sourcetype
index= Define it if it's other than main

  1. Use syslogd/rsyslogd to listen for UDP traffic on port 514 and then put those contents into file which will be read by Splunk. You can keep your inputs.conf configuration as is and configure syslogd to put logs into the same file for which you have input configuration. Sample configuration is as follows:

    $ModLoad imudp
$UDPServerRun 514
### Put logs to file ###
$template rtflow,"$YOURFILELOCATION"
if $msg contains 'RT_FLOW' then -?rtflow
& ~

I would prefer second option as the chance of data loss is reduced in case of Splunk server is restarted.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...