Getting Data In

ipv6 forwarders?

John_Mark
Splunk Employee
Splunk Employee

At one of the Splunklives last week, someone mentioned that they had a full-on ipv6 network and were unable to use splunk forwarders. That they could switch to an ipv4 network, and everything would work fine, but on an ipv6 network, the forwarded data would never reach the central Splunk server.

I wish I could provide more detail than that. Is this known to work 'out of the box'?

Tags (2)
1 Solution

dgrubb_splunk
Splunk Employee
Splunk Employee

Splunk Supports IPv6 both sending and receiving.

Further information can be found in our documentation:
http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/ConfigureSplunkforIPv6

Also keep in mind when trying to send only to Ipv6 networks server.conf settings will also be needed, e.g.

listenOnIPv6 = no|yes|only
* By default, splunkd will listen for incoming connections (both REST and
TCP inputs) using IPv4 only
* To enable IPv6 support in splunkd, set this to 'yes'. splunkd will
simultaneously listen for connections on both IPv4 and IPv6
* To disable IPv4 entirely, set this to 'only', which will cause splunkd
to exclusively accept connections over IPv6. You will probably also
need to change mgmtHostPort in web.conf (use '[::1]' instead of '127.0.0.1')
* Note that any setting of SPLUNK_BINDIP in your environment or
splunk-launch.conf will override this value. In that case splunkd will
listen on the exact address specified.

connectUsingIpVersion = auto|4-first|6-first|4-only|6-only
* When making outbound TCP connections (for forwarding eventdata, making
distributed search requests, etc) this controls whether the connections
will be made via IPv4 or IPv6.
* If a host is available over both IPv4 and IPv6 and this is set to
'4-first', then we will connect over IPv4 first and fallback to IPv6 if
the connection fails.
* If it is set to '6-first' then splunkd will try IPv6 first and fallback to
IPv4 on failure
* If this is set to '4-only' then splunkd will only attempt to make
connections over IPv4.
* Likewise, if this is set to '6-only', then splunkd will only attempt to
connect to the IPv6 address.
* The default value of 'auto' will select a reasonable value based on
listenOnIPv6 setting. If that value is set to 'no' it will act like
'4-only'. If it is set to 'yes' it will act like '6-first' and if it is
set to 'only' it will act like '6-only'.
* Note that connections to literal addresses are unaffected by this. For
example, if a forwarder is configured to connect to "10.1.2.3" the
connection will be made over IPv4 regardless of this setting.

View solution in original post

dgrubb_splunk
Splunk Employee
Splunk Employee

Splunk Supports IPv6 both sending and receiving.

Further information can be found in our documentation:
http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/ConfigureSplunkforIPv6

Also keep in mind when trying to send only to Ipv6 networks server.conf settings will also be needed, e.g.

listenOnIPv6 = no|yes|only
* By default, splunkd will listen for incoming connections (both REST and
TCP inputs) using IPv4 only
* To enable IPv6 support in splunkd, set this to 'yes'. splunkd will
simultaneously listen for connections on both IPv4 and IPv6
* To disable IPv4 entirely, set this to 'only', which will cause splunkd
to exclusively accept connections over IPv6. You will probably also
need to change mgmtHostPort in web.conf (use '[::1]' instead of '127.0.0.1')
* Note that any setting of SPLUNK_BINDIP in your environment or
splunk-launch.conf will override this value. In that case splunkd will
listen on the exact address specified.

connectUsingIpVersion = auto|4-first|6-first|4-only|6-only
* When making outbound TCP connections (for forwarding eventdata, making
distributed search requests, etc) this controls whether the connections
will be made via IPv4 or IPv6.
* If a host is available over both IPv4 and IPv6 and this is set to
'4-first', then we will connect over IPv4 first and fallback to IPv6 if
the connection fails.
* If it is set to '6-first' then splunkd will try IPv6 first and fallback to
IPv4 on failure
* If this is set to '4-only' then splunkd will only attempt to make
connections over IPv4.
* Likewise, if this is set to '6-only', then splunkd will only attempt to
connect to the IPv6 address.
* The default value of 'auto' will select a reasonable value based on
listenOnIPv6 setting. If that value is set to 'no' it will act like
'4-only'. If it is set to 'yes' it will act like '6-first' and if it is
set to 'only' it will act like '6-only'.
* Note that connections to literal addresses are unaffected by this. For
example, if a forwarder is configured to connect to "10.1.2.3" the
connection will be made over IPv4 regardless of this setting.

DTERM
Contributor

Has the status on support for IPv6 changed recently? Are there any plans for Splunk to support IPv6 anytime soon?

0 Karma

araitz
Splunk Employee
Splunk Employee

Not any time in the immediate future, but perhaps in the mid term.

0 Karma

kristiaan_d
Explorer

i would also like to know more about when this is going to be available in splunk as our company is looking to convert to IPv6.

gkanapathy
Splunk Employee
Splunk Employee

No, it doesn't. Splunk does not bind to ipv6 interfaces, nor can it send over ipv6 interfaces.

BobM
Builder

Do we know if/when this is in the pipeline?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...