I have an irule configured on the LTM that I apply to most of the Virtual Servers that sends the traffic logs to a Splunk server. Lately, i have noticed logs not being in Splunk. On the splunk server, i have created several Data Input Ports other than UDP/514. If i go to the server pool that contains the splunk server and change the port number, as soon as it updates, I start seeing the logs in the splunk again. This will work for awhile and then it would happen again. I would go into the server pool and change to a different port and then it would start working. I ran a capture on the splunk server during the time that it wasn't working and i see the logs coming from the LTM, but the protocol is WHO instead of UDP. When it is working, the captures show the protocol as UDP. I thought it was an issue with Splunk, so i opened a case with them. While waiting for a response from Splunk support, the issue happened again and this time i ran a capture on the LTM. The LTM capture also shows the protocol as WHO instead of UDP. Here is a copy of an entry from the capture.