Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

HF multiple UDP port listening | Best practices

GaetanVP
Contributor
‎11-28-2022 05:37 AM

Hello Splunkers,

I have a Splunk HF that will receive multiple logs coming from different machines, all sending via UDP.
I am wondering it I need to configures the external sources to send the logs via UDP but with different port (on port for each sources), or if I can simply tell all my sources to send over UDP port 514 for instance.

I am wondering if the UDP port 514 could become a "network bottleneck" because of too many logs coming from multiple sources on the same port. 

Thanks for your help,

GaetanVP

Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-28-2022 06:09 AM

Hi @GaetanVP,

if your data sources permit to configure a different port for each one, it's easier for you because you don't need to manually modify conf files.

But anyway you could also use the same 514 port for all logs and separate data sources based on the ip address, but you need to manually modify conf files because Splunk doesn't permits (via GUI) to add two network data sources using the same port, but it's possible via conf file.

Ciao.

Giuseppe

 

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-28-2022 06:09 AM

Hi @GaetanVP,

if your data sources permit to configure a different port for each one, it's easier for you because you don't need to manually modify conf files.

But anyway you could also use the same 514 port for all logs and separate data sources based on the ip address, but you need to manually modify conf files because Splunk doesn't permits (via GUI) to add two network data sources using the same port, but it's possible via conf file.

Ciao.

Giuseppe

 

Reply
Solved! Jump to solution

TheSteveBennett
Observer
‎12-15-2023 06:31 AM

If I have already configured UDP 514 as an input, where is that input.conf file located so I can modify if for other logs?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-15-2023 07:46 AM

Hi @TheSteveBennett ,

don't attach a new question to an existing 8and closed) one because it's difficoult to have an answer, open a new question!

Anyway, you have to serch in many inputs.conf files that you have in the Splunk Receiver (usually an Heavy Forwarder).

If you want to use te same port for same logs (same index and sourcetype, you don't need to no anything,

Remember that if you want to use a different port, you can do it by GUI, if instead you want to use the same port for a different sourcetype, you have to do it modifying the inputs.conf file and adding also an IP address of the receiver.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

GaetanVP
Contributor
‎11-28-2022 08:07 AM

Hello @gcusello,

Thanks a lot for your answer, that makes total sense.

Regards,
GaetanVP

0 Karma
Reply
Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

The Splunk Community is a powerful network of users, educators, and organizations working together to tackle ...