Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Syslog data source and Splunk 5.0.3 on Windows 2008

mas
Path Finder
‎08-14-2013 02:07 AM

After the upgrade to Splunk 5.0.3, my syslog data sources suddenly stopped to work. Using MS Network Monitor and Wireshark, I am able to see syslog packets reaching the server. Upgrading to 5.0.4 did not resolve the issue.

Splunk is installed on a Windows 2008 R2 machine.

Anyone experiencing the same problem?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mas
Path Finder
‎08-19-2013 02:10 AM

I found the problem. The same day of the update, a configuration change had been made in props.conf (under ./etc/system/local). A stanza had been created to match data sent by three specific hosts (just say: serverA, serverB and serverC). There was a typo in this stanza name! It had been defined as:

[host::serverA|host::serverB||host::serverC]

instead of

[host::serverA|host::serverB|host::serverC]

The double "||" caused a "match-all" situation. In addition, this stanza has a conditional redirect of all the events, with the exception of the required ones, to the null queue. All the syslog events, as a result, were discarded!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mas
Path Finder
‎08-19-2013 02:10 AM

I found the problem. The same day of the update, a configuration change had been made in props.conf (under ./etc/system/local). A stanza had been created to match data sent by three specific hosts (just say: serverA, serverB and serverC). There was a typo in this stanza name! It had been defined as:

[host::serverA|host::serverB||host::serverC]

instead of

[host::serverA|host::serverB|host::serverC]

The double "||" caused a "match-all" situation. In addition, this stanza has a conditional redirect of all the events, with the exception of the required ones, to the null queue. All the syslog events, as a result, were discarded!

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎08-15-2013 10:24 AM

Can you verify your inputs? Did you make changes in a default/inputs.conf file? They may have been overwritten. Does the input appear in the manager?

0 Karma
Reply
Solved! Jump to solution

mas
Path Finder
‎08-18-2013 11:56 PM

Hi alacercogitatus, thank you for your answer. I never change conf files in "default" folders. The input appears in the manager. In addition, I tried to install a syslog server (temporary disabling the input source) and syslog messages were traced correctly.

It seems that Splunk is refusing to collect data for this data source.

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...