In Splunk Enterprise and Splunk Universal Forwarder, data inputs are configured using stanzas in inputs.conf. Each stanza defines a listener for a particular input type (for example, TCP or UDP) and a specific port.
Splunk documentation states that a single TCP input stanza can receive data from multiple remote hosts sending to the same TCP port, and similarly, a single UDP input stanza can receive data from multiple devices sending to the same UDP port. Therefore, the number of sending devices does not determine the number of stanzas required; rather, the input protocol and port type do.
In this case:
All three TCP devices can send data to one TCP port (one stanza).
All four UDP devices can send data to one UDP port (one stanza).
Thus, the minimum number of input stanzas required is two — one for TCP and one for UDP.
Example configuration (inputs.conf):
# TCP input for three switches sending via TCP
[tcp://9997]
sourcetype = switch_logs
# UDP input for four switches sending via UDP
[udp://514]
sourcetype = switch_logs
This configuration ensures all seven devices’ logs are collected without creating individual stanzas for each device.
Reference (Splunk Documentation):
Splunk® Enterprise Admin Manual → Configure Data Inputs → “Listen for network data”
inputs.conf.spec and example → “You can configure a single TCP or UDP input to receive data from multiple remote hosts.”
Splunk Universal Forwarder Manual → Configure Forwarding Inputs → “Universal Forwarders can listen on a single TCP or UDP port for multiple remote data sources.”
Submit