Hi,
We have started some practical work with evaluating Splunk (3.4.10) and I have questions regarding details.
1: Splunk tcp input from Linux syslog clients compared with udp input yields different output:
tcp:
<83>Jun 5 10:34:37 uo000156 agetty[26028]: /dev/xvc0: No such file or directory
udp:
Jun 1 11:05:51 up000073.abrakdabra.com Jun 1 11:05:51 up000073 syslog-ng[19358]: SIGHUP received, restarting syslog-ng
Furthermore when loading syslog input from Juniper Netscreen to the tcp listener there is no recognition of messages start and stop, they are auto truncated (by length I assume) and what should be separate messages are presented as one which can be truncated and continue in the next message. Sending data to the udp listener yields more "normal" output with messages separated as they should. I found a Netscreen application , downloaded, installed and enabled it, but could not notice any differences. Probably because I have not yet realized what configration entries that should be changed.
I have looked at http://interop.demo.splunk.com/ (Splunk 3.4.5) and this site does not display tcp input with the pri field. There is also data from Juniper Netscreen via tcp and this information is presented nicely and what you would expect as normal output.
Is this difference between tcp and udp input considered as normal ? I assume that there might be some additional configuration to accomplish the same result as from the demo site ( http://interop.demo.splunk.com/). Is there any way to get information and/or config files regarding this ?
2: What is the practical difference when selecting linux-messages-syslog compared with syslog when specifying source type ?
linux-messages-syslog:
<4>May 29 17:45:35 up000073 kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=01:00:5e:00:00:01:00:01:30:5f:c9:00:08:00 SRC=107.21.24.251 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=42110 PROTO=2
syslog:
<83>Jun 5 10:34:37 uo000156 agetty[26028]: /dev/xvc0: No such file or directory
BR,
Anders
