Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Very long log events coming over syslog 514/udp are cut

Zoe_
Observer
‎04-01-2025 07:58 PM

Hello
Has anyone encountered the situation of incomplete log transmission using UDP 514? Would changing to TCP be useful?


I would appreciate your support.
greetings

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-01-2025 11:17 PM

Hi @Zoe_ ,

Yes, switching from UDP to TCP might resolve incomplete log events sent via syslog.

UDP is a connectionless protocol and does not guarantee delivery or prevent truncation, especially for logs larger than the network's MTU size (typically around 1500 bytes). TCP establishes a connection, ensures ordered and reliable delivery, and handles segmentation and reassembly of large messages, preventing truncation.

# Update your inputs.conf to receive TCP instead of UDP.

[tcp://514]
connection_host = ip # Or dns, depending on your needs
sourcetype = syslog # Set appropriate sourcetype
# Add other settings like index as needed
disabled = 0

# Ensure your old UDP input is disabled
#[udp://514]
#disabled = 1

Remember to restart Splunk or reload the configuration after changes.

Ensure any firewalls between the sending devices and the Splunk receiver allow traffic on the chosen TCP port (e.g., 514).

🌟 Did this answer help you? If so, please consider:

  • Adding kudos to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-01-2025 09:26 PM

With UDP you are limited to a single datagram's length. I think I saw one or two solutions which would split the event at frame boundary and send the remaining part in another frame but there's no reliable way to reassemble those later.

Yes, switching to TCP should solve this issue but might cause performance problems in some cases.

0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...