I have 2 source A and B (routers), they are sending the data over udp port 514.
all of the sudden, the source B is not indexed anymore.
I have captured the traffic (tcpdump), I can see clearly that the traffic is reaching the Splunk server.
My Splunk deployment is a free license all-in-one server.
any thoughts ?
Do you have more than one interface in the server? If you didn't add any restrictions on firewall or in input configuration (did you check your config with btool?), maybe it's an issue with rpfilter (I assume you're running your system on linux)
I hope this helps!!!