Getting Data In

Understanding and debugging TCP input, is there is a way to understand/view the raw data routed to Splunk?

davidepala
Path Finder

Hi all
I have a tcp stream from logstash to a universal forwarder, the forwarder is already used to forward other inputs (windows log from other servers and some stanzas to monitor local files) and works fine. I've setup a new tcp input on tcp port 9999, this is my inputs.conf

[tcp://9999]
index = firewalls_index
sourcetype = firewalls
disabled = false

In my Splunk I don't see anything in this index but if use netcat (stopping splunk svc) I can see the stream of kv values, thats certified and has no network issue. Is there is a way to understand/view the raw data routed to Splunk? thanks!

0 Karma

xpac
SplunkTrust
SplunkTrust

Check index=_internal firewalls to see if you have any sourcetype parsing issues, or swap firewalls with 9999 in that search. 🙂

0 Karma

davidepala
Path Finder

i've done but no result

0 Karma

xpac
SplunkTrust
SplunkTrust

You could try tcpdump -i eth0 tcp port 9999 -nn to see if traffic is actually flowing while Splunk is running - that would verify that connections are properly established and data arrives.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Request for Professional Development: Attending .conf26

Winning Over the Boss: Your Pass to .conf26 conf26 is going to be here before you know it. If don't already ...