topic Re: Splunk event forwarding in All Apps and Add-ons

Splunk event forwarding

shaileshpawar21 — Mon, 22 Apr 2013 17:01:20 GMT

Hello,
I have tried to forward log event stored in splunk to Linux machine via syslog.
but only splunk specific events (means events that are generated by splunk not the stored events) are forwarded to linux machine.
can anybody please tell me about process of forwarding stored events from splunk to other linux/windows box.?? please

thanks in advance

Re: Splunk event forwarding

kristian_kolb — Mon, 22 Apr 2013 18:59:41 GMT

You can forward incoming events to a third party system (i.e. a non-splunk system). From the wording of your question it seems like you have set this up with partial success. I believe that you wish to forward data that has already been indexed by a splunk indexer. To the best of my knowledge that is not as straightforward as it might seem, unfortunately. Once event have been indexed (i.e. you don't forward the incoming stream of events), you'll have make searches and export the search results.

http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Forwarddatatothird-partysystemsd
http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Savingsearchesandsharingsearchresults
http://splunk-base.splunk.com/answers/46050/export-raw-logs-from-specific-time

Hope this helps,

Kristian

Re: Splunk event forwarding

shaileshpawar21 — Tue, 23 Apr 2013 08:44:51 GMT

Thanks Kristian,
I want to forward data(events) which is stored in index(journal.gz file) to the remote on third party non splunk machine via TCP port through syslog.
How should I do that ?
Please help me in this.

Thanks in advance

Re: Splunk event forwarding

Ayn — Tue, 23 Apr 2013 09:19:52 GMT

You can't grab events right from the raw index files. You need to go through the regular Splunk mechanisms, which the docs that kristian links to describe. Is there anything in particular that you're missing in the docs? Because I see instructions there on how to grab all or just a subset of the events and forward it to a 3rd party system over TCP...

Re: Splunk event forwarding

shaileshpawar21 — Wed, 24 Apr 2013 09:40:10 GMT

Hi Ayn,

I have followed all steps given in link but events are not forwarded to other machine.
I have done following steps.
1st received events from TCP port
then in foward made the configuration of hostname:port
the host which is mentioned has beed configured to read events through syslog. (for this edited rsyslog.conf)
but events are not present in log file of other machine..
Please help me,
Thanks.