Re: Why are new UDP data inputs for multiple hosts...

xxyz · ‎07-15-2015

Creating new UDP Data Inputs for received syslog data from specific hosts to go to a specific Index. After creating the data input with multiple hosts (comma delimited) the status is initially disabled. I have no problem enabling afterwards, but wondering if multiple hosts aren't allowed and that is why it is disabled or is it just a precaution?

martin_mueller · ‎07-15-2015

Yeah, inputs.conf

xxyz · ‎07-16-2015

so i added them all in. no problems. they show up in the gui just fine. however...

when i set a stanza to collect all syslog traffic and direct it to index 'syslog', it doesn't show in the gui. so will this work even though it's not showing?

[udp:514]
index = syslog
sourcetype = syslog
connection_host = ip

martin_mueller · ‎07-16-2015

Did you bump Splunk after making the change in the .conf file? Either by restarting or by hitting this URL:

http://your_host:8000/en-US/debug/refresh?entity=admin/conf-inputs

xxyz · ‎07-16-2015

interesting. normally configurations adding in the gui update conf files under local, but these additions do not.

martin_mueller · ‎07-16-2015

All UI settings must appear under local directories, else they would be lost on an upgrade of Splunk.
Make sure you've not just checked the wrong app and keep system/local in mind.

martin_mueller · ‎07-15-2015

How are you creating the inputs?

xxyz · ‎07-15-2015

through the gui: settings > data inputs > > udp > new

is there a conf to do this?

Why are new UDP data inputs for multiple hosts initially disabled after creation?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...