Getting Data In

Understanding and debugging TCP input, is there is a way to understand/view the raw data routed to Splunk?

davidepala
Path Finder

Hi all
I have a tcp stream from logstash to a universal forwarder, the forwarder is already used to forward other inputs (windows log from other servers and some stanzas to monitor local files) and works fine. I've setup a new tcp input on tcp port 9999, this is my inputs.conf

[tcp://9999]
index = firewalls_index
sourcetype = firewalls
disabled = false

In my Splunk I don't see anything in this index but if use netcat (stopping splunk svc) I can see the stream of kv values, thats certified and has no network issue. Is there is a way to understand/view the raw data routed to Splunk? thanks!

0 Karma

xpac
SplunkTrust
SplunkTrust

Check index=_internal firewalls to see if you have any sourcetype parsing issues, or swap firewalls with 9999 in that search. 🙂

0 Karma

davidepala
Path Finder

i've done but no result

0 Karma

xpac
SplunkTrust
SplunkTrust

You could try tcpdump -i eth0 tcp port 9999 -nn to see if traffic is actually flowing while Splunk is running - that would verify that connections are properly established and data arrives.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...