I've integrations made with UDP/TCP data inputs that index data correctly but after a while they stopped working. In Splunk we have different types of data inputs configured and only the UDP/TCP stops working. When this happens, the following validations are performed:
Validate iptables and firewall configurations on the server.
Validate with tcpdump that the data arrives at the server.
Validate that there is no data queuing by reviewing indexing queues.
After different tests, data ingestion recovers specifying the parameter disabled=0 in inputs.conf and restarting Splunk. We didn't reach anything conclusive about what could cause this problem. We would like to be clear about what causes this problem to know how to act if the situation repeats itself. Do you know what could cause this problem? Could you guide me or share ideas of what I could investigate?
... View more