Getting Data In
Highlighted

Understanding and debugging TCP input, is there is a way to understand/view the raw data routed to Splunk?

Path Finder

Hi all
I have a tcp stream from logstash to a universal forwarder, the forwarder is already used to forward other inputs (windows log from other servers and some stanzas to monitor local files) and works fine. I've setup a new tcp input on tcp port 9999, this is my inputs.conf

[tcp://9999]
index = firewalls_index
sourcetype = firewalls
disabled = false

In my Splunk I don't see anything in this index but if use netcat (stopping splunk svc) I can see the stream of kv values, thats certified and has no network issue. Is there is a way to understand/view the raw data routed to Splunk? thanks!

0 Karma
Highlighted

Re: Understanding and debugging TCP input, is there is a way to understand/view the raw data routed to Splunk?

SplunkTrust
SplunkTrust

Check index=_internal firewalls to see if you have any sourcetype parsing issues, or swap firewalls with 9999 in that search. 🙂

0 Karma
Highlighted

Re: Understanding and debugging TCP input, is there is a way to understand/view the raw data routed to Splunk?

Path Finder

i've done but no result

0 Karma
Highlighted

Re: Understanding and debugging TCP input, is there is a way to understand/view the raw data routed to Splunk?

SplunkTrust
SplunkTrust

You could try tcpdump -i eth0 tcp port 9999 -nn to see if traffic is actually flowing while Splunk is running - that would verify that connections are properly established and data arrives.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.