Creating new UDP Data Inputs for received syslog data from specific hosts to go to a specific Index. After creating the data input with multiple hosts (comma delimited) the status is initially disabled. I have no problem enabling afterwards, but wondering if multiple hosts aren't allowed and that is why it is disabled or is it just a precaution?
so i added them all in. no problems. they show up in the gui just fine. however...
when i set a stanza to collect all syslog traffic and direct it to index 'syslog', it doesn't show in the gui. so will this work even though it's not showing?
index = syslog
sourcetype = syslog
connection_host = ip
Did you bump Splunk after making the change in the .conf file? Either by restarting or by hitting this URL:
interesting. normally configurations adding in the gui update conf files under local, but these additions do not.
All UI settings must appear under local directories, else they would be lost on an upgrade of Splunk.
Make sure you've not just checked the wrong app and keep
system/local in mind.
How are you creating the inputs?
through the gui: settings > data inputs > > udp > new
is there a conf to do this?