I am evaluating Splunk Light.
I want to collect data from a socket port on an external device. I was hoping that by configuring a TCP data input, entering the correct port number and source type, I would be able to get that data into Splunk Light. However, I am missing one datapoint, the host where the data needs to come from.
The Add Data panel asks me for TCP/UDP, port number, Source name override, and Accept connections from.
Source type is CSV, Method is either IP or DNS, let's say IP and Index is default.
Where do I configure the host the data needs to come from? This is a hardware device and is not able to run a forwarder.
There is a host A on which a service is running which exposes data on TCP socket port 14150.
There is a host B on which Splunk is installed.
On host B TCP input was configured to listen on port 14150.
There is no possibility to run a script or any other application on host A.
So to get the data from host A to host B Splunk on host B needs to be able to establish a TCP connection on host A port 14150.
Is this possible? Or do i need to run a netcat or socat on host B which connects to host A port 14150 and redirects the data to host B port 14150 so Splunk can receive it? It looks to me that this should be a direct process without intervention of a third party program running on the same host as where Splunk is running. Am i missing something?
Hope this small story of a similar example of implementation helps which was as follows:
Host A on which there was
log file A and
forwarder couldn't be installed on Host A. There was
Host B on which
Splunk was running. So to get the data
from Host A to Host B Splunk, on Host B Splunk
tcp input was configured to listen on port 12345.
Python script was asked to run on
Host A to read
log file A and when done reading, fire this output to
Host B, port 12345 where Splunk will be waiting to receive it. The logs then stayed in Splunk index happily ever after.
In your case if script cannot be put on
Host A then there shall be an intermediate implementation which will first read the data from
Host A (hardware) port xxxx and then forward it to
Host B port 12345 where Splunk will be ready to receive. Choice of implementation shall be yours based on your environment, accessibility and security concerns.