TCP data input configuration fields

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of TCP Data Input Configuration Fields

    The TCP data input configuration form allows ServiceNow customers to set up and manage log data streaming through a MID Server. This configuration is crucial for ensuring proper log ingestion and monitoring within your organization.

    Show full answer Show less

    Key Features

    • Name: Required field for the data input name.
    • Description: Optional field to describe the data input.
    • Port: A unique port number for the MID Server; must be opened by the security team.
    • MID: Selects a MID Server capable of log ingestion. Basic authentication is required, and the default limit for data inputs per MID Server is 10.
    • Service Instance: Required binding for log data; create a new service instance if none exists.
    • Status: Displays the current status of the data input.
    • Transport: Indicates the protocol used (TCP).
    • Sources Count: Number of log sources created by this input.
    • Disabled Since: Timestamp indicating when the data input stopped or failed.
    • Last Log Time: Timestamp of the last log received.
    • Error Message: Automatically populated field showing any streaming errors.

    Advanced Configuration

    • Use SSL/TLS: Enables secure log transmission.
    • Look Up Hostnames: Option for DNS resolution of IPs.
    • Boss Thread Count: Sets the number of threads for managing connections (default: 1).
    • Worker Thread Count: Sets the number of threads for handling incoming data (default: 4).
    • Read Timeout Seconds: Duration before closing a channel due to inactivity (default: 30 seconds).
    • Default Timezone: Sets a default for events without a specified timezone (default: GMT).
    • Sub Sample Drop Ratio: Indicates the event drop ratio (-1 means no drop).
    • Sub Sample Receive Ratio: Indicates the event receive ratio (-1 means all received).
    • Max Length in Bytes: Limits the maximum length of log messages (default: 32766 bytes).
    • Character Encoding: Specifies the encoding for the data input (default: UTF-8).
    • Drop if Queue is Full: Option to discard logs if the MID Server is overloaded.
    • Line Breaker Delimiters: Defines characters for separating raw log lines (e.g., "\r, \n").

    Key Outcomes

    Effectively configuring these fields allows ServiceNow customers to streamline log ingestion, ensure data integrity, and manage log data efficiently across their infrastructure. Proper setup of the TCP data input enhances monitoring capabilities and supports operational needs.

    Description of the fields on the TCP data input configuration form.

    Basic configuration

    Field Description
    Name Name of the new data input. This field is required.
    Description Description of the data input.
    Port The port for the MID Server.

    Select a unique port from the array. The placeholder shows the range of ports from which to choose. Make sure that your organization’s security team opens the selected port.

    This field is required.
    MID The MID Server to which the logs are streamed.
    Note:
    • You can select only MID Servers with log ingestion capability that support basic authentication. MID Servers that support mTLS are not listed.
    • The default maximum number of data inputs streaming logs to a single MID Server is 10. You can modify this number in the MID Server properties.
    This field is required.
    Service instance The service instance to which to bind the log data. This field is required.
    Note:
    If no relevant service instance exists, Create an service instance and add CIs to it. Set the status of the new service instance to Operational.

    The following fields show read-only information:

    Field Description
    Status Status of the data input.
    Transport Protocol used to send the log data.

    Rsyslog and Splunk send data using the TCP protocol.
    Sources count The number of log sources this data input has created.
    Disabled since The time when the data input stopped or failed.
    Last log time The time when the last log streamed in the data input.
    Error message The streaming error.

    This field is populated automatically. It displays only when a streaming error has occurred.

    Advanced configuration

    Table 1. Advanced configuration form
    Field Description Default value
    Use SSL/TLS Option to use SSL/TLS.
    Look up hostnames Option to perform DNS lookup to resolve IPs to hostnames. false
    Boss thread count The number of threads that manage connections. 1
    Worker thread count The number of threads that handle incoming data. 4
    Read timeout seconds The timeout in seconds since the last read. When the timeout expires, the system closes the channel. 30
    Default timezone The default time zone of events. The system uses this default when the log does not specify a time zone. GMT
    Sub sample drop ratio The ratio of events to drop. -1
    Sub sample receive ratio The ratio of events to receive. -1
    Max length in bytes The maximum length of log messages in bytes. 32766
    Character encoding The character encoding for this data input. UTF-8
    Drop if queue is full Option to discard logs if there is a load on the MID Server.
    Line breaker delimiters The line break character separating the raw log lines.

    Splitting values must be separated by a comma followed by a space: ", ". For example: "\r, \n, , splitHere, #".