Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

UDP Data Input receive but not indexed

nhurtaud
Explorer
‎04-29-2013 08:23 AM

Hi everyone,

I have some problem with data input on UDP port
I send from a log collector syslog messages.
These are bein received by the splunk host (tcpdump capture) but not indexed.
Data input is well configured (when i use netcat for send messages from log collector to data input, these messages are well-indexed).

I changed some parameters like queue (IndexQueue) to bypass transforms but it's not resolved this issue. Also, i try to change SHOULD_LINEMERGE to false.

If someone has an idea or has encountered this problem?

Thank you and have a nice day.
Nicolas HURTAUD

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎04-29-2013 08:46 AM

Double check that splunk is listening to the port with netstat, disable any iptables.

If you are on linux and your syslog device uses ip spoofing, check this answer.
http://splunk-base.splunk.com/answers/12876/splunk-running-on-my-linux-server-is-only-showing-me-eve...

View solution in original post

0 Karma
Reply
Solved! Jump to solution

mlf
Path Finder
‎06-25-2013 09:24 AM

I've hit this issue multiple times and still haven't found the cause. It seems to happen randomly and is source specific. For example, if my input is on udp:9999, and I have 10 hosts logging, one host's logs will stop getting indexed. Other hosts, even those coming from the same subnet as the missing host, will be fine. In my case, recycling the indexer will normally solve it for the short term.

I'm currently still running 4.3.6. Has anyone seen this in 5.x? Anyone have a clue as to the cause?

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎04-29-2013 08:46 AM

Double check that splunk is listening to the port with netstat, disable any iptables.

If you are on linux and your syslog device uses ip spoofing, check this answer.
http://splunk-base.splunk.com/answers/12876/splunk-running-on-my-linux-server-is-only-showing-me-eve...

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...