Getting Data In

Why is TCP data not being indexed?

Champion

Hi,

I have a feed of events coming into my Splunk Heavy Forwarder, but they aren't being indexed, and I'm baffled. Here's my inputs.conf:

[tcp://:1918]
index = istr_security 
sourcetype =  bcoat_proxysg
disabled = false

[tcp://:1919]
index = istr_security
sourcetype = bcoat_proxysg_plug
disabled = false
`
[tcp://:1920]
connection_host = dns
source = tcp:1920
index = istr_security
sourcetype = bcoat_proxysg_socks
disabled = false

1918 works. It's been in place for a long time. We are now sending 1920, but it's not showing up. I checked future events, and looked in the logs for any errors, but can't find any. I do see these messages, but they seem to be telling me that Splunk is now reading my port. I did a packet capture, and data is arriving.

10-26-2016 13:51:47.027 -0400 INFO  TcpInputConfig - IPv4 port 1920 is reserved for raw input
10-26-2016 13:51:47.027 -0400 INFO  TcpInputConfig - IPv4 port 1920 will negotiate new-s2s protocol
10-26-2016 13:51:47.027 -0400 INFO  TcpInputProc - Creating raw Acceptor for IPv4 port 1920 with Non-SSL
0 Karma
1 Solution

Champion

Fixed. LTM issue - Splunk was fine.

View solution in original post

0 Karma

Champion

Fixed. LTM issue - Splunk was fine.

View solution in original post

0 Karma

Champion

And they found the issue with Splunk! hahahaha!

0 Karma

Builder

can you please explain what was the issue at LTM side ? I am also facing the same problem ? can you tell me the fix for the same ? anything needs to be done from Splunk side ?? Please reply. Thanks.

0 Karma

Ultra Champion

There's a tick mark on line 10 - is that a typo in the answers post?

If you change the port from 1920 to something else, does it work?

When Splunk is stopped on that host, is another process using that port? (netstat -an | grep 1920)

0 Karma

SplunkTrust
SplunkTrust

And please confirm that you have no firewalls blocking the traffic, either host based or network based.

0 Karma

Splunk Employee
Splunk Employee

What happens if you try:

[tcp://:1920]
 #connection_host = dns
 #source = tcp:1920
 index = istr_security
 sourcetype = answers_test
 disabled = false

and:
[tcp://:1920]
 #connection_host = dns
 source = tcp:1920
 index = istr_security
 sourcetype = answers_test
 disabled = false

and:

[tcp://:1920]
 connection_host = dns
 source = tcp:1920
 index = istr_security
 sourcetype = answers_test
 disabled = false
0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!