I used to have 2 UDP syslog data inputs: UDP://514 going to the default index, UDP://515 going to a new index. They were successfully collecting syslog messages from network equipment. I noticed yesterday that they haven't indexed anything for a while. Disabling and re-enabling the data inputs briefly allowed some messages to be indexed but then it stopped again.
Today I deleted both data inputs and entered new ones.
Splunk\etc\apps\search\local\inputs.conf shows this:
[udp://514]
connection_host = ip
sourcetype = syslog
disabled = 0
index = network
source = Network
[udp://49200]
connection_host = ip
index = ecb
sourcetype = syslog
source = EmergencyCallBox
In the Search app, when I click on the Data Summary button, the Network and EmergencyCallBox sources I'm expecting are not listed, the syslog sourcetype is not updated. I still see udp:514 listed as a source.
I'm using Splunk 6.0 on Windows 2008 R2. Rebooting the OS and Splunk didn't help.
If I run index=_internal source=*metrics.log* per_source_thruput series=EmergencyCallBox I see results ( series=Network also gives me results).
Do I have to manually create the source and sourcetype? If so, where?
Any suggestions are welcome.
... View more