How to configure a forwarder to listen on tcp/udp ...

sperschall · ‎04-13-2016

Hey,

I'm new to Splunk, so I may be missing something... However, I can't seem to configure a forwarder to listen on a network port (tcp/udp for syslog).

So far I have:
- Installed the forwarder which shows up in the Splunk Light dloud portal
- I have set the forwarder to monitor local event logs and the data is flowing into Splunk ok
- When I go to Add data, select the forwarder, select the server class, I can't click on the option for "Configure Splunk to listen on a network port." It also seems to be missing it's blue heading in that box. I can click on the other four options, but not that one.

Any ideas? Am I missing something?

Thanks...Scott

dkoshe_splunk · ‎04-13-2016

Looks like there is a bug introduced in the recent version that is preventing UI from working.
As a work around you can go to the machine where forwarder is running, and manually create (if none exists) inputs.conf file in /etc/system/local folder and update/add TCP input there and restart the forwarder (/bin/splunk restart).

Example stanza for receiving syslog via TCP input (update for your port and source type as appropriate):

[tcp://33333]
sourcetype=syslog
disabled=false

jterry · ‎04-13-2016

could you post a screen-shot?
if you have a server class defined that contains the forwarder(s) you're trying to enable the tcp/udp input on then there shouldn't be a problem.
thnx

sperschall · ‎04-13-2016

Sure...here you go.

jterry · ‎04-13-2016

ok, thnx. i'm looking into it/trying to re-produce the issue.

jterry · ‎04-13-2016

for now, the "Use the CLI" section of this doc may help: http://docs.splunk.com/Documentation/Splunk/6.4.0/Data/Configureyourinputs#Use_the_CLI

How to configure a forwarder to listen on tcp/udp for syslog for Splunk Light cloud service?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk