Splunk Enterprise

How to setup HP Procurve switch to send logs to Splunk server?


I have hard time getting logs from Procurve to the Splunk server. Any help would be greatly appreciated.

I can ping between the Splunk server and HP Procurve switch vice-versa, they are in the same subnet. No firewall is blocking the connection:


root@indexer:~# ping

PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=255 time=0.873 ms
64 bytes from icmp_seq=2 ttl=255 time=0.858 ms

root@indexer:/opt/splunk/bin# ./splunk display listen

Receiving is enabled on port 9997.

root@indexer:/opt/splunk/bin# ./splunk btool inputs list splunktcp --debug | grep -v default

/opt/splunk/etc/system/local/inputs.conf        host = indexer
/opt/splunk/etc/apps/launcher/local/inputs.conf [splunktcp://9997]
/opt/splunk/etc/apps/launcher/local/inputs.conf connection_host = ip
/opt/splunk/etc/system/local/inputs.conf        host = indexer

root@indexer:/opt/splunk/bin# ./splunk btool outputs list splunktcp --debug | grep -v default

root@indexer:/opt/splunk/bin# ./splunk list inputstatus

Cooked:tcp :
       time opened = 2017-04-19T21:49:41+1000

      time opened = 2017-04-21T19:19:01+1000

tcp_cooked:listenerports :

UDP:listenerports :


root@forwarder2:~# netstat -tulpn

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0    *               LISTEN      3824/sshd       
tcp        0      0  *               LISTEN      4304/splunkd    
tcp        0      0  *               LISTEN      896/dnsmasq     
tcp6       0      0 :::22                   :::*                    LISTEN      3824/sshd       
udp        0      0   *                           4304/splunkd    
udp        0      0   *                           8112/cups-browsed
udp        0      0 *                           767/avahi-daemon: r
udp        0      0  *                           767/avahi-daemon: r
udp        0      0  *                           896/dnsmasq     
udp        0      0    *                           883/dhclient    
udp6       0      0 :::46130                :::*                                767/avahi-daemon: r
udp6       0      0 :::5353                 :::*                                767/avahi-daemon: r

root@forwarder2:/opt/splunkforwarder/bin# ./splunk list forward-server

Active forwards:
Configured but inactive forwards:

root@forwarder2:/opt/splunkforwarder/bin# ./splunk show deploy-poll

Deployment Server URI is set to "".

root@forwarder2:/opt/splunkforwarder/bin# ./splunk add udp 514 -sourcetype hp:switch

Listening for UDP input on port 514.

root@forwarder:/opt/splunkforwarder/bin# ./splunk add forward-server forwarded-server already present
Listening port 9997 has already been enable on the indexer. 

What other information do you need from me and where do I go from here?

0 Karma

New Member

That's what we started using it for. Make sure that you've configured your Procurve switches to forward their logs to your Splunk server. On each switch, use the command:

logging (spunk server IP address)

Hope this helps...

0 Karma


I forgot to mention that was already done. Thanks,


How do I verifiy that I'm getting the logs from HP Procurve Switch? What commands do you need to run to determine whether logs are being received or not?

0 Karma


actually I got it working, strange it didn't work but I didn't do anything more than configuring logging it again in the switch maybe I fogot to wr mem. Anyways looks good now.
I will try some dodgy router next.

0 Karma

Esteemed Legend

Don't forget to click Accept on this answer!

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.