This makes me more confused.
I ran a real-time monitoring for "10.10.26.* AND index=" where 10.10.26. is the IP subnet of client which send the logs to Splunk. And I ran a tcpdump at the Splunk to capture the return packet.
[root@Server-Name bin]# tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
19:29:47.475270 IP 10.10.24.14.9514 > 10.10.26.9.62640: . ack 2480355949 win 20416
19:29:48.475548 IP 10.10.24.14.9514 > 10.10.26.9.62640: . ack 226 win 20880
19:30:21.517224 IP 10.10.24.14.9514 > 10.10.26.9.46146: . ack 2104469992 win 5840
19:30:23.043887 IP 10.10.24.14.9514 > 10.10.26.9.62640: . ack 458 win 21344
19:31:07.721030 IP 10.10.24.14.9514 > 10.10.26.9.62640: . ack 690 win 21808
19:31:21.095833 IP 10.10.24.14.9514 > 10.10.26.9.46146: F 0:0(0) ack 2 win 5840
I see that the Splunk server(10.10.24.14) is replying back to the original client from TCP 9514.
But no logs show up in the Splunk portal.
Output from splunk list inputstatus
Raw:tcp :
514:Router Name
time opened = 2016-11-21T13:54:56-0800
9514:10.10.26.9 ----> This is the actual client.
time opened = 2016-11-21T19:16:50-0800
tcp_raw:listenerports :
514
9514
9515
Krishna
... View more