Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to listen on UDP but Splunk 4.1.7 is not listening?

tpaulsen
Contributor
‎09-21-2011 08:02 AM

Hi,

i have setup before UDP as input for Splunk 4.1.7. But this time my configuration doesn´t work and i have no clue why?

Here the inputs.conf

[default]
host = blade240

[udp://5420]
connection_host = dns
index = idx_puc_lb
sourcetype = puc-loadbalancer
disabled = 0

What am i doing wrong? I use Splunk 4.1.7.

The Forwarder was a LWF but i enabled the Forwarder mode as well did i add a default-mode.conf file with the following stanza:

[pipeline:udp]
disabled = false

When i ask the Forwarder it tells me, that it is listening:

splunk@blade240:/opt/splunk/LWF/splunk/bin# ./splunk list udp
Listening for input on the following UDP ports: 5420

But when i look with netstat -a | grep 5420 there is no port.

splunk@blade240:/opt/splunk/LWF/splunk/bin# netstat -a | grep 5420
splunk@blade240:/opt/splunk/LWF/splunk/bin#
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tpaulsen
Contributor
‎09-21-2011 09:23 AM

Ah ok...now it is working...!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

asingla
Communicator
‎10-13-2011 02:25 PM

Hi tpaulsen,

I am struggling with similar issue. Can you please tell what what was the reason for this?

Here is my post http://splunk-base.splunk.com/answers/32140/not-able-to-forward-udp-messages-from-universal-fowarder...

0 Karma
Reply
Solved! Jump to solution

tpaulsen
Contributor
‎10-18-2011 06:03 AM

The problem in my case was, that the forwarder was configured as a Lightweight Forwarder, which has by default the port inputs deactivated. I switched the Forwarder into heavy Forwarder mode and everything worked then.

Unfortunately that happens on Splunk 4.1.7, so i don´t know if this applies to Universal Forwarder.

0 Karma
Reply
Solved! Jump to solution
Solution

tpaulsen
Contributor
‎09-21-2011 09:23 AM

Ah ok...now it is working...!

0 Karma
Reply
Solved! Jump to solution

tpaulsen
Contributor
‎10-18-2011 06:03 AM

The problem in my case was, that the forwarder was configured as a Lightweight Forwarder, which has by default the port inputs deactivated. I switched the Forwarder into heavy Forwarder mode and everything worked then.

Unfortunately that happens on Splunk 4.1.7, so i don´t know if this applies to Universal Forwarder.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎09-22-2011 12:46 AM

Hi what was the problem, maybe this could help someone having the same issue

0 Karma
Reply
Solved! Jump to solution

tpaulsen
Contributor
‎09-21-2011 09:01 AM

Ah ok...thank you...that worked. Now i can see the port:

splunk@blade240:/opt/splunk/LWF/splunk/bin# netstat -an | grep 5420
udp 0 0 0.0.0.0:5420 0.0.0.0:*

But still no data in Splunk. Guess we have to puzzle a bit more.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎09-21-2011 08:50 AM

hi tpaulsen, I used your inputs.conf and it is working. anything in splunkd.log? what is 'netstat -an' stating?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...