Links

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Community | Discussion | View source | History

Working with UDP connections

Working with UDP connections

UDP is a connection-less and unreliable transport protocol:

  1. It doesn't enforce delivery
  2. It's not encrypted
  3. There's no accounting for lost datagrams
  4. Unfortunately a lot of network devices only offer UDP syslog as a logging mechanism

In cases where you don't have another option here are some general recommendations to improve your reliability:

  1. Limit UDP use to the same segment on a LAN.
  2. Make sure you increase buffer sizes on Splunk UDP inputs. Edit inputs.conf:
    3.   [udp://:514]
  _recvbuf = < int > (default value: xxxx recommended value: xxxx )
  3. If your indexer can't be on the same LAN, aggregate via a Splunk Forwarder or Syslog-NG in order to improve reliability.

TBD - Benefits of Forwarder vs. Syslog-NG

Retrieved from "http://www.splunk.com/base/Community:Working_with_UDP_connections"
Revision: 207 | Contact | Privacy Policy | Terms of Use | Community content licensed under Creative Commons

Copyright © 2005-2009 Splunk Inc. All rights reserved.