Handling network data input
The network data input type is available for sources that can only send data over TCP/UDP. Sources such as IoT devices, network switches, routers, and sensors rely on TCP/UDP layer-4 protocols, the indexing of data from which is supported by Splunk Enterprise. Here are some important details about this input type:
- The UF and HF both support network input.
- In Splunk Enterprise, the indexer instance is usually preceded or “fronted” by the UF or HF to handle the task of forwarding data for indexing. The connection from UF/HF to Splunk Enterprise must use a valid Socket Secure Layer (SSL) certificate.
- Transmission Control Protocol (TCP) is more reliable than SSL User Data Protocol (UDP), as the latter doesn’t guarantee the delivery of network packets.
- UDP messages in Splunk are not indexed as individual events until a timestamp is found in the data stream. This can be fixed during the parsing phase by configuring
sourcetype...
