Getting Data In
Highlighted

Where is the default sourcetype for udp:514 set?

Communicator

The sourcetype for udp514 is set to syslog. Where is this defined? Is it hard coded in Splunkd or is it defined in a file in /opt/splunk? If the latter, where is it defined?

Thanks,

Sean Coleman

Tags (3)
0 Karma
Highlighted

Re: Where is the default sourcetype for udp:514 set?

Esteemed Legend

There is no default. You have to set up an UDP listener inside some inputs.conf. Try this search on your forwarder:

cd $SPLUNK_HOME; find . -name inputs.conf -exec grep -il 514 {} \;
0 Karma
Highlighted

Re: Where is the default sourcetype for udp:514 set?

Splunk Employee
Splunk Employee

or use btool and look at the location of your stanza udp:514

./splunk cmd btool inputs list udp --debug