Splunk 3.4.1 is the latest version. Only use this page with older Splunk 2.0.x.
Splunk Data Access Manual (Splunk v2.0)
Splunk Input Modules
TCP
Use for: TCP sockets
This module listens on a TCP port (default 9998) for events.
Requirements & Restrictions
Incoming data must be a stream of events that have not been processed by another Splunk Server.
Don't use this module for Splunk-2-Splunk connections, use splunkTCP.
One port per module. To index from a second port, create a copy of the module. You must also rename the pipeline defined in the new module's config.xml file to be different from the first.
Installer
You can configure this module at installation time. Below is a sample session that shows the available options.
---------------------------------------------------------------------------- Network Port Input (TCP) Do you want to listen for data on a TCP port? (For example, log4j or syslog-ng.) [y/N]: y ---------------------------------------------------------------------------- Enter the port number [9998]: ---------------------------------------------------------------------------- What sourcetype name should be given to data on this port? (Common types include log4j, syslog) []: log4j ----------------------------------------------------------------------------
Web GUI
You cannot configure this module through Splunk's Web interface yet. Splunk will add this feature in a near future release. Meanwhile, use one of the alternate methods below.
Command Line
This module cannot yet be configured through Splunk's command line interface. A near future release will add this feature. Meanwhile, use one of the other methods.
XML Files
Rename the disabled configuration file to activate it. Splunk will find and load config.xml.
# cd $SPLUNK_HOME/etc/modules/input/TCP # mv config.xml.disabled config.xml
To deactivate the module, rename the file back to config.xml.disabled and restart the Splunk server.
Configuration Parameters
- port
The TCP port on which to listen. The default is 9998.
- queueSize
The number of events to queue up for input. The default is 1000.
- useDNSForHost
Whether to do a reverse DNS lookup on the IP address of any connecting client in order to set the host::parameter of events. The default is true. If false, the module will set host:: to the IP address.
- metadata
Extra values to set on events. This example is the default configuration.
<metadata>
<ip addr="all">
<Sourcetype>log4j</Sourcetype>
</ip>
</metadata>
host::
By default, this module will set the value of host:: to be the IP address of the host that transmitted the event.
If useDNSForHost is set to True, the module will perform a reverse DNS lookup on the IP address. If the address resolves to a hostname, it will set that value instead.
Also, Splunk's universal processing pipeline can be configured to extract host:: values from each event separately for a specific source type, source or host. Splunk 2.0 is preconfigured to do this for several variants of syslog format. It will attempt to extract a host:: value from each individual event and use the setting in config.xml as a fallback. See the section on host:: extraction from events.
To put XML file configuration changes into effect, restart the server as shown in the Basic Server Operations section of the Splunk Admin Manual.
No comments have been submitted.