Getting Data In

Do local events on an indexer go through the receiver port?

mfrost8
Builder

Hello.

I've been working on a case with Splunk support for a week or two that involves the receiver port on one or more indexers getting plugged up and not taking new events for a while from transmitting universal forwarders.

I won't go into all the details of that case, but I need to collect additional netstat information for the very intermittent times this happens. I have some other non-Splunk-y ways I could do this, but processing the results would be easiest if they were in Splunk. Since this is intermittent it would be far more data than I'd need, but whatever might be easiest...

If I were to use the Splunk App for *nix, and its netstat script, to gather this information on indexers, what happens when this receiver port issue occurs? Does the output from a generating script somehow depend on the receiver port (9997), or in the case of a local event source on an indexer, is this handled internally? If it depends on the receiver port somehow, then I definitely need to go with another approach.

Thanks

0 Karma
1 Solution

chrisyounger
SplunkTrust
SplunkTrust

It doesn't. You can test this by setting up a dev box with no receiving port and you will see scripted inputs still get ingested.

Now that said, if I were you I would probably keep the troubleshooting stuff seperate from splunk incase the big does also affect your data collection.

Maybe just run the Unix TA script using Cron and have it write to a file that you invest later? Would be an easy change.

Good luck

View solution in original post

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

It doesn't. You can test this by setting up a dev box with no receiving port and you will see scripted inputs still get ingested.

Now that said, if I were you I would probably keep the troubleshooting stuff seperate from splunk incase the big does also affect your data collection.

Maybe just run the Unix TA script using Cron and have it write to a file that you invest later? Would be an easy change.

Good luck

0 Karma

mfrost8
Builder

Thanks for the info.

Great suggestion. I'll give that a shot.

Thanks

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...