Licensing is fine.

I switch to TCP from UDP input from the SAME source and everything is fine. All the logs are ingested and indexed and are searchable properly. UDP seems to be the issue.

I am using the admin account created during install. Splunk installed on windows server with admin privileges. 

It is just a single head. No cluster or separate indexers. 

Hi @law175,

a very stupid question: you changed protocol from from UDP to TCP, did you changed the input stanza?

which search are you using?

Ciao.

Giuseppe

Yes what I do is do Data Inputs > TCP > New Local TCP > Port 9008 TCP / Source type = Syslog / Method = IP / App Context = search and reporting / Index = default.

If I switch, I delete the TCP and add in a new UDP with the same settings.

Right now I have a TCP 9008 and a UDP 9004 running, with the same appliance forwarding logs via Syslog to both TCP and UDP ports. TCP has been working fine for 4 days now (though with lots of dropped events). Appliance sends logs fine from appliance via UDP, but Splunk has stopped searching within 1 hour. 

The same log appears as the last shown log. It is a memory output that breaks down over around 50 lines (assuming it is too big). Could there be some error occuring with a sylsog that is too big that is breaking searching?

The search I am using is source="udp:9004"

Hi @law175,

what's the result running 

index=your_index host=192.168.79.1

have you one or two sources?

Ciao.

Giuseppe

For now just one.

All logs are being forwarded to a logging server (VMware vRealize Log Insight). Then I am sending logs via syslog from that appliance to Splunk. All logs should come from that 192.168.79.1 on either UDP:9004 or TCP:9008, depending on what I choose.

Hi @law175,

are you receiving UDP logs or TCP logs?

Ciao.

Giuseppe

UDP. The picture is UDP. I am sendings logs via Syslog on port UDP:9004.

I only opened TCP:9008 for testing purposes. Everything works on TCP as expected. 

I want to fix UDP.

Hi @law175,

let me understand: are you sending UDP9008 or TCP9008 or both?

which ones you whould have?

which ones are you receiving?

Ciao.

Giuseppe

UDP. Just UDP. I only did TCP for testing purposes. I only want to receive UDP.

I switched the time from (past 5 minutes) to All Time (real time) and logs are appearing. There is an issue with how Splunk is processing Time from these logs it seems.

Hi @law175 ,

check if the timestamp is correct nad don't use for testing Real Time.

Ciao.

giuseppe

Timestamp correct. Timestamp received by Splunk matches what is recorded on the appliance.

All time (real-time) is the only search that allows me to see logs. Searching any other time does not work. 

For example, look at pictures below.  Searching in previous 5 minutes shows no logs. I switch to All time (real-time) and all logs are being shown.