Monitoring Splunk

Monitoring TCP output from a telephone switch.

johnpulley
New Member

I want to use Splunk to monitor the error output of a telephone switch. I can easily see the data by connecting to the port with telnet. I tried setting up a TCP data Input with the same port and IP address, but I don't get anything in the index. I've tried both the Enterprise license and the free license. I'm using Splunk 4.1.2 on Windows 2003 installed as a system user.

Tags (1)
0 Karma
1 Solution

dwaddle
SplunkTrust
SplunkTrust

Splunk's TCP inputs are not really designed to connect to a remote device and then read from it. They are meant for the remote device to connect to Splunk and then send data in. You might try using a couple of netcat commands one to connect to the switch, and one to connect to Splunk. This way, both ends get what they want. Something like this may work:

nc phone_switch 12345 | nc splunk 9999

I've tried this on Linux and it works fine, but I dunno how well this will work on Windows.

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

Splunk's TCP inputs are not really designed to connect to a remote device and then read from it. They are meant for the remote device to connect to Splunk and then send data in. You might try using a couple of netcat commands one to connect to the switch, and one to connect to Splunk. This way, both ends get what they want. Something like this may work:

nc phone_switch 12345 | nc splunk 9999

I've tried this on Linux and it works fine, but I dunno how well this will work on Windows.

View solution in original post

johnpulley
New Member

Thanks, the light finally went on. First I'll try to see if I can get the telephone switch to do the connect. Otherwire, I'll probably try to ncat approach or something simliar.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

nc doesn't come with Windows, but you can get ncat (sort of a successor to it, and which works the same) from http://nmap.org/ncat/

0 Karma

dskillman
Splunk Employee
Splunk Employee

TCP inputs are typically used for listening for things like syslog/syslogng. If you connect with telnet do you have to run commands to see the data? Telnet is an active connection from your machine to to the switch. Not the other way around. You would want to tell the switch to syslog to splunk on a given port. Most switches only support udp syslog. And by default on port 514. If the switch only supports inbound connections for data gathering you will need to set up a scripted input.

johnpulley
New Member

No login or other commands was used with telnet. I used it as a simple way to connect to a port and watch for TCP data. One complication I should have mentioned is that the PC has two NICs and the data is on the 2nd network connection.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!