Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Syslog - UDP

Splunk can listen on a UDP port for data coming from the syslog service on one or more hosts. You can use Splunk to gather syslog data from these hosts for easy searching, reporting and alerting.

To get syslog data over UDP, configure Splunk to listen for that data over a UDP port:

1. Go to the Syslog page in Splunk Web.

2. Then, choose "Next" under Syslog data from UDP.

3. On the next page, in the UDP port field, enter the UDP port on which you will accept connections from other systems running syslog.

The default syslog UDP port is 514.

4. Optionally, you can tell Splunk to override the default source value for your script, by putting a string into the Source name override field.

5. You can set the sourcetype of the events generated by this source by choosing From list in the Set sourcetype drop-down, then selecting the desired choice from the Select source type from list drop-down.

You will typically want to set the source type to 'syslog'.

6. Alternatively, you can choose Manually from "Set sourcetype," and then enter a string in the Source type field that appears.

You can usually leave the other fields unchanged, including the fields under the More settings option. Look here for detailed information on these fields.

7. Finally, click Save.

8. From the Success page, click Search to start searching. You can enter any term that’s in your data, or you can click on a source, source type or host to see data from the different directories within your syslog directory, the different types of data in those directories, or the different hosts that sent the syslog data in the first place.

For more information on getting data from the network, see "Get data from TCP and UDP ports" in this manual.

PREVIOUS
Syslog - TCP
  NEXT
Windows event logs - local

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13


Comments

hi Vleitao, sorry it took so long to get back to you. this is a relatively common problem, and is answered on our Answers site: http://splunk-base.splunk.com/answers/1653/cant-add-udp-input-because-of-error-udp-port-514-is-not-available-why<br />hope you've been able to sort out your issue.

Rachel, Splunker
December 24, 2012

In SPlunk version 4.3.3 I can't add UDP 514 port. It reports the following error "Encountered the following error while trying to save: In handler 'udp': Parameter name: UDP port 514 is not available"

Vleitao
July 6, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters