I tried to query "

index=_internal source=*metrics.log group=udpin_connections 192.168.3.5

It did not come back with anything.

I believe i have configured the data input correctly and pointing to right index

At first glance looks pretty OK.

Check your windows firewall.

For testing, I have disabled the windows firewall. But I can see that logs are actually arriving within the windows machine and Splunk is not picking them up.

Well, there are no miracles. I understand that the packets show up on the interface but apparently are not picked up by Splunk. Question is whether it listens on the port at all (even though the input is defined, something might be preventing Splunk from binding to the port).

Did you verify with netstat that the Splunk process is actually listening on this port?

(BTW, I don't remember if you don't need to restart splunkd after adding the input using WebUI or REST. You must do so if you change inputs by config files).

update: I have gone over the configs and

 index=_internal source=*metrics.log group=udpin_connections 192.168.3.5

is giving following output.

We're getting somewhere 🙂

As you can see some non-zero values, it means that some data is indeed being received by the udp input. Now we need to find where it goes to.

By the fact that it's a windows installation and because it's called "DESKTOP-something" I assume that it's your private test box and you're not having a lot of data on it. So you can run a

index=*

search over "All time (real-time)" - this is one of the very very rare cases where real-time search makes sanes. Very important - don't try this on any production or heavily loaded test box.

With this you can see the events as they come into your Splunk box (so if your events are rare you might to wait a while). Check the index, source, sourcetype and timestamp of the incoming events.

Another way to find where those events are could be to run

| tstats count where index=* by source sourcetype index

Its all working now, Thank you for your help

For future reference so that if someone finds this thread has full information - tell us what did you do to make things work in the end/what was the problem.

Hello PickleRick,

I he created data input o allow udp14 traffic. So is index. Please check these screenshots for clarity, 

192.168.3.5 is Palo Device and 192.168.3.1 is windows machine where Splunk is installed

Hello Paul,

Thank you for a quick response, Its direct from Palo to to Splunk. I am using Paloalto App and Add on,  I am not seeing indexes growing at all. I tried looking at the data from Search option and try to match with various filters.

Regards

Rabab