Understanding and debugging TCP input, is there is...

davidepala · ‎05-01-2018

Hi all
I have a tcp stream from logstash to a universal forwarder, the forwarder is already used to forward other inputs (windows log from other servers and some stanzas to monitor local files) and works fine. I've setup a new tcp input on tcp port 9999, this is my inputs.conf

[tcp://9999]
index = firewalls_index
sourcetype = firewalls
disabled = false

In my Splunk I don't see anything in this index but if use netcat (stopping splunk svc) I can see the stream of kv values, thats certified and has no network issue. Is there is a way to understand/view the raw data routed to Splunk? thanks!

xpac · ‎05-01-2018

Check index=_internal firewalls to see if you have any sourcetype parsing issues, or swap firewalls with 9999 in that search. 🙂

davidepala · ‎05-01-2018

i've done but no result

xpac · ‎05-01-2018

You could try tcpdump -i eth0 tcp port 9999 -nn to see if traffic is actually flowing while Splunk is running - that would verify that connections are properly established and data arrives.

Understanding and debugging TCP input, is there is a way to understand/view the raw data routed to Splunk?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation