Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Understanding and debugging TCP input, is there is a way to understand/view the raw data routed to Splunk?

davidepala
Path Finder
‎05-01-2018 08:06 AM

Hi all
I have a tcp stream from logstash to a universal forwarder, the forwarder is already used to forward other inputs (windows log from other servers and some stanzas to monitor local files) and works fine. I've setup a new tcp input on tcp port 9999, this is my inputs.conf

[tcp://9999]
index = firewalls_index
sourcetype = firewalls
disabled = false

In my Splunk I don't see anything in this index but if use netcat (stopping splunk svc) I can see the stream of kv values, thats certified and has no network issue. Is there is a way to understand/view the raw data routed to Splunk? thanks!

0 Karma
Reply

xpac
SplunkTrust
SplunkTrust
‎05-01-2018 08:47 AM

Check index=_internal firewalls to see if you have any sourcetype parsing issues, or swap firewalls with 9999 in that search. 🙂

0 Karma
Reply

davidepala
Path Finder
‎05-01-2018 10:55 AM

i've done but no result

0 Karma
Reply

xpac
SplunkTrust
SplunkTrust
‎05-01-2018 04:49 PM

You could try tcpdump -i eth0 tcp port 9999 -nn to see if traffic is actually flowing while Splunk is running - that would verify that connections are properly established and data arrives.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...
li.common.scroll-to.top