Getting Data In

Why is TCP data not being indexed?

a212830
Champion

Hi,

I have a feed of events coming into my Splunk Heavy Forwarder, but they aren't being indexed, and I'm baffled. Here's my inputs.conf:

[tcp://:1918]
index = istr_security 
sourcetype =  bcoat_proxysg
disabled = false

[tcp://:1919]
index = istr_security
sourcetype = bcoat_proxysg_plug
disabled = false
`
[tcp://:1920]
connection_host = dns
source = tcp:1920
index = istr_security
sourcetype = bcoat_proxysg_socks
disabled = false

1918 works. It's been in place for a long time. We are now sending 1920, but it's not showing up. I checked future events, and looked in the logs for any errors, but can't find any. I do see these messages, but they seem to be telling me that Splunk is now reading my port. I did a packet capture, and data is arriving.

10-26-2016 13:51:47.027 -0400 INFO  TcpInputConfig - IPv4 port 1920 is reserved for raw input
10-26-2016 13:51:47.027 -0400 INFO  TcpInputConfig - IPv4 port 1920 will negotiate new-s2s protocol
10-26-2016 13:51:47.027 -0400 INFO  TcpInputProc - Creating raw Acceptor for IPv4 port 1920 with Non-SSL
0 Karma
1 Solution

a212830
Champion

Fixed. LTM issue - Splunk was fine.

View solution in original post

0 Karma

a212830
Champion

Fixed. LTM issue - Splunk was fine.

0 Karma

a212830
Champion

And they found the issue with Splunk! hahahaha!

0 Karma

pgadhari
Builder

can you please explain what was the issue at LTM side ? I am also facing the same problem ? can you tell me the fix for the same ? anything needs to be done from Splunk side ?? Please reply. Thanks.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

There's a tick mark on line 10 - is that a typo in the answers post?

If you change the port from 1920 to something else, does it work?

When Splunk is stopped on that host, is another process using that port? (netstat -an | grep 1920)

0 Karma

Richfez
SplunkTrust
SplunkTrust

And please confirm that you have no firewalls blocking the traffic, either host based or network based.

0 Karma

jwelch_splunk
Splunk Employee
Splunk Employee

What happens if you try:

[tcp://:1920]
 #connection_host = dns
 #source = tcp:1920
 index = istr_security
 sourcetype = answers_test
 disabled = false

and:
[tcp://:1920]
 #connection_host = dns
 source = tcp:1920
 index = istr_security
 sourcetype = answers_test
 disabled = false

and:

[tcp://:1920]
 connection_host = dns
 source = tcp:1920
 index = istr_security
 sourcetype = answers_test
 disabled = false
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...