Hi,
I have a feed of events coming into my Splunk Heavy Forwarder, but they aren't being indexed, and I'm baffled. Here's my inputs.conf:
[tcp://:1918]
index = istr_security
sourcetype = bcoat_proxysg
disabled = false
[tcp://:1919]
index = istr_security
sourcetype = bcoat_proxysg_plug
disabled = false
`
[tcp://:1920]
connection_host = dns
source = tcp:1920
index = istr_security
sourcetype = bcoat_proxysg_socks
disabled = false
1918 works. It's been in place for a long time. We are now sending 1920, but it's not showing up. I checked future events, and looked in the logs for any errors, but can't find any. I do see these messages, but they seem to be telling me that Splunk is now reading my port. I did a packet capture, and data is arriving.
10-26-2016 13:51:47.027 -0400 INFO TcpInputConfig - IPv4 port 1920 is reserved for raw input
10-26-2016 13:51:47.027 -0400 INFO TcpInputConfig - IPv4 port 1920 will negotiate new-s2s protocol
10-26-2016 13:51:47.027 -0400 INFO TcpInputProc - Creating raw Acceptor for IPv4 port 1920 with Non-SSL
Fixed. LTM issue - Splunk was fine.
And they found the issue with Splunk! hahahaha!
can you please explain what was the issue at LTM side ? I am also facing the same problem ? can you tell me the fix for the same ? anything needs to be done from Splunk side ?? Please reply. Thanks.
There's a tick mark on line 10 - is that a typo in the answers post?
If you change the port from 1920 to something else, does it work?
When Splunk is stopped on that host, is another process using that port? (netstat -an | grep 1920
)
And please confirm that you have no firewalls blocking the traffic, either host based or network based.
What happens if you try:
[tcp://:1920]
#connection_host = dns
#source = tcp:1920
index = istr_security
sourcetype = answers_test
disabled = false
and:
[tcp://:1920]
#connection_host = dns
source = tcp:1920
index = istr_security
sourcetype = answers_test
disabled = false
and:
[tcp://:1920]
connection_host = dns
source = tcp:1920
index = istr_security
sourcetype = answers_test
disabled = false