Databases Reference
In-Depth Information
For
tcp
and
udp
inputs, the following attributes apply:
•
source
: If not specified,
source
will default to
protocol:port
, for instance,
udp:514
.
•
sourcetype
: If not specified,
sourcetype
will also default to
protocol:port
, but this is generally not what you want. It is best to specify
a source type and create a corresponding stanza in
props.conf
.
•
connection_host
: With network inputs, what value to capture for
host
is
somewhat tricky. Your options essentially are:
°
connection_host = dns
, which uses reverse DNS to determine
the hostname from the incoming connection. When reverse DNS is
configured properly, this is usually your best bet. This is the default.
°
connection_host = ip
, which sets the host field to the IP address
of the remote machine. This is your best choice when reverse DNS
is unreliable.
°
connection_host = none
, which uses the hostname of the Splunk
instance receiving the data. This option can make sense when all
traffic is going to an interim host.
°
host = foo
, which sets the hostname statically.
° It is also common to reset the value of
host
using a transform, for
instance with syslog events. This happens after parsing, though,
so is too late to change things such as time zone based on the host.
•
queueSize
: This value specifies how much memory Splunk is allowed to set
aside for an input queue. A common use for a queue is to capture spikey data
until the indexers can catch up.
•
persistentQueueSize
: This value specifies a persistent queue that can be
used to capture data to disk if the in-memory queue fills up.
If you find yourself building a particularly complicated setup around network ports,
I would encourage you to talk to Splunk support as there may be a better way to
accomplish your goals.
Search WWH ::
Custom Search