Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why to use syslog or tcp output?

GaetanVP
Contributor
‎10-03-2022 07:18 AM

Hello Splunkers,

I have a small question, what is the best practice (or for what reasons) should I use Syslog or TCP configuration inside the ouputs.conf file ? Both TCP and Syslog can forward data right ? What is the benefit of each possibility ?
https://docs.splunk.com/Documentation/Splunk/latest/Admin/outputsconf#TCPOUT_SETTINGS
https://docs.splunk.com/Documentation/Splunk/latest/Admin/outputsconf#Syslog_output----

I'm trying to forward logs from a HF to another HF (and I have multiple types of logs)

Thanks a lot,
GaetanVP

Labels (1)
Labels
0 Karma
Reply

chenfan
Explorer
‎05-13-2025 09:20 AM
Hi @gcusello 
{
    "type""splunk.map",
    "options": {
        "center": [
            24.007647480837704,
            107.43997967141127
        ],
        "zoom"2.3155822324586683,
        "showBaseLayer"true,
        "layers": [
            {
                "type""bubble",
                "latitude""> primary | seriesByName('latitude')",
                "longitude""> primary | seriesByName('longitude')",
                "bubbleSize""> primary | frameWithoutSeriesNames('_geo_bounds_east', '_geo_bounds_west', '_geo_bounds_north', '_geo_bounds_south', 'latitude', 'longitude') | frameBySeriesTypes('number')",
                "dataColors"" > primary | seriesByName('status') | matchValue('colorMatchConfig')"
            }
        ]
    },
    "dataSources": {
        "primary""ds_PHhx1Fxi"
    },
    "context": {
        "colorMatchConfig": [
            {
                "match""high",
                "value""#FF0000"
            },
            {
                "match""low",
                "value""#00FF00"
            },
            {
                "match""critical",
                "value""#0000FF"
            }
        ]
    },
    "containerOptions": {},
    "showProgressBar"false,
    "showLastUpdated"false
}
 
chenfan_0-1747153333123.png

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-03-2022 07:45 AM

For sending data from one Heavy Forwarder to another, use SplunkTCP by enabling receiving in Settings->Forwarding and receiving.

TCP and syslog inputs should be avoided since they can lead to data loss when Splunk restarts.  A dedicated syslog server such as syslog-ng will do a much better job at receiving syslog events than Splunk will.

---
If this reply helps you, Karma would be appreciated.
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-03-2022 07:41 AM

Hi @GaetanVP,

as you well know, using a syslog you can take logs only real time, if you don't catch them you lose them.

Instead using TCP, in other words Splunk connections, you have many advantages:

  • caching when the receiver isn0t active,
  • packet compression,
  • nerwork optimization,
  • etc...

In other words, use syslog only if you cannot install a Forwarder or if you have to send logs to an external system that can receive only syslogs.

Ciao.

Giuseppe

Reply

chenfan
Explorer
‎03-25-2025 11:46 PM

Hi @gcusello 
If I want to use Heavy Forwarder  to forward received Syslog logs to a target server that does not have Splunk instance, can you give me some advice?Thankyou!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-26-2025 12:50 AM

Hi @chenfan ,

let me understand: you want to use a Splunk server to send logs outside Splunk, is this correct?

I suppose that this HF is used to send logs to a Splunk instance and also to a third party, not only to a third party because in this case there's no sense in this architecture.

anyway, to send logs to a third party, using syslogs, you can see at https://docs.splunk.com/Documentation/SplunkCloud/latest/Forwarding/Forwarddatatothird-partysystemsd

In addition, I hint to use rsyslog to receive sylogs and not the Splunk HF, instead the Splunk HF can be used to forward logs to the primary Splunk instance and also to the third party.

If instead you want to receive syslogs and forward them only to a third party use only rsyslog and another tool as logger or something similar.

Ciao.

Giuseppe

Reply

chenfan
Explorer
‎05-13-2025 09:14 AM

Hi @gcusello Thankyou for your support, you are my hero!
I've been having problems with Dashboard Studio recently and it has been bothering me for a long time. It would be great if you could give me some suggestions. I want to assign different colors according to different field values. I have made the following configurations, but they haven't taken effect. Can help me to check it.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-13-2025 11:59 PM

Hi @chenfan ,

as @isoutamo said, open a new question it's easier to answer you and to have a faster and probably better answer.

Anyway, I'm not an expert on Dashboard Studio that I use only when I cannot use Dashboard Classic, so I'm not sure to be able to help you.

In the new question, please better describe your request because it isn't so clear the colour of which object you want to change.

Ciao.

Giuseppe

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-13-2025 09:20 AM
Please create a new question for this item.
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)

Welcome back to Splunk Classroom Chronicles, our ongoing blog series that pulls back the curtain on Splunk ...

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...
Top