Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to listen on UDP but Splunk 4.1.7 is not listening?

tpaulsen
Contributor
‎09-21-2011 08:02 AM

Hi,

i have setup before UDP as input for Splunk 4.1.7. But this time my configuration doesn´t work and i have no clue why?

Here the inputs.conf

[default]
host = blade240

[udp://5420]
connection_host = dns
index = idx_puc_lb
sourcetype = puc-loadbalancer
disabled = 0

What am i doing wrong? I use Splunk 4.1.7.

The Forwarder was a LWF but i enabled the Forwarder mode as well did i add a default-mode.conf file with the following stanza:

[pipeline:udp]
disabled = false

When i ask the Forwarder it tells me, that it is listening:

splunk@blade240:/opt/splunk/LWF/splunk/bin# ./splunk list udp
Listening for input on the following UDP ports: 5420

But when i look with netstat -a | grep 5420 there is no port.

splunk@blade240:/opt/splunk/LWF/splunk/bin# netstat -a | grep 5420
splunk@blade240:/opt/splunk/LWF/splunk/bin#
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tpaulsen
Contributor
‎09-21-2011 09:23 AM

Ah ok...now it is working...!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

asingla
Communicator
‎10-13-2011 02:25 PM

Hi tpaulsen,

I am struggling with similar issue. Can you please tell what what was the reason for this?

Here is my post http://splunk-base.splunk.com/answers/32140/not-able-to-forward-udp-messages-from-universal-fowarder...

0 Karma
Reply
Solved! Jump to solution

tpaulsen
Contributor
‎10-18-2011 06:03 AM

The problem in my case was, that the forwarder was configured as a Lightweight Forwarder, which has by default the port inputs deactivated. I switched the Forwarder into heavy Forwarder mode and everything worked then.

Unfortunately that happens on Splunk 4.1.7, so i don´t know if this applies to Universal Forwarder.

0 Karma
Reply
Solved! Jump to solution
Solution

tpaulsen
Contributor
‎09-21-2011 09:23 AM

Ah ok...now it is working...!

0 Karma
Reply
Solved! Jump to solution

tpaulsen
Contributor
‎10-18-2011 06:03 AM

The problem in my case was, that the forwarder was configured as a Lightweight Forwarder, which has by default the port inputs deactivated. I switched the Forwarder into heavy Forwarder mode and everything worked then.

Unfortunately that happens on Splunk 4.1.7, so i don´t know if this applies to Universal Forwarder.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎09-22-2011 12:46 AM

Hi what was the problem, maybe this could help someone having the same issue

0 Karma
Reply
Solved! Jump to solution

tpaulsen
Contributor
‎09-21-2011 09:01 AM

Ah ok...thank you...that worked. Now i can see the port:

splunk@blade240:/opt/splunk/LWF/splunk/bin# netstat -an | grep 5420
udp 0 0 0.0.0.0:5420 0.0.0.0:*

But still no data in Splunk. Guess we have to puzzle a bit more.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎09-21-2011 08:50 AM

hi tpaulsen, I used your inputs.conf and it is working. anything in splunkd.log? what is 'netstat -an' stating?

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...