I tried to copy-paste your chinese text to google translate to understand what you want to accomplish, but I am not sure the translation is correct: "I want to use syslog-ng to input data from the universal forwarder to my search head I'm going to use TCP but I don't know what's wrong and I can't display my data in the search header " your syslog-ng seems to be receiving syslog data on port 514 and then delivering the data to 10001/10002 TCP depending on the source IP while doing some transformation. Is 10001 and 10002 where your search heads are? Or are those ports opened by UF? Usually the easiest way to send syslog data to Splunk is by using HEC (HTTP Event Collector), and if you were using that you can simply assign host/source/sourcetype to a specific log message, no need to use separate ports. Also, you are manually getting rid of the priority header (e.g. removing <NNN> in the front), but that would be taken care of by the actual syslog parser in syslog-ng that you disabled via flags(no-parse).   ... View more

Hi you can check what features your license contains by just looking that license file. It can found from $SPLUNK_HOME/etch/license/xxxx/<license file>.lic. There are at least two different license directories enterprise and download-trial. 1st one contains your "official" + NFR etc. licenses, 2nd one contains trial which are installed with downloaded trial version if you haven't any other license file(s). You can just look that file and check what features you have like (etc/licenses/download-trial/enttrial.lic) <features> <feature>Auth</feature> <feature>FwdData</feature> <feature>RcvData</feature> <feature>LocalSearch</feature> <feature>DistSearch</feature> <feature>RcvSearch</feature> <feature>ScheduledSearch</feature> <feature>Alerting</feature> <feature>DeployClient</feature> <feature>DeployServer</feature> <feature>SplunkWeb</feature> <feature>SigningProcessor</feature> <feature>SyslogOutputProcessor</feature> <feature>AllowDuplicateKeys</feature> </features>  Those features are quite well self documented. Usually LM feature is included into all paid licenses and also it is in dev/test license which contains this feature  <feature>CanBeRemoteMaster</feature> There is also developer license which don't have that feature. You could read more about different licenses from https://docs.splunk.com/Documentation/Splunk/latest/Admin/TypesofSplunklicenses I think that in your use case you should use normal paid production license if this is production environment and if it's your test/lab env then you need to request dev/test license as described on above link. r. Ismo ... View more