https://community.splunk.com/t5/Splunk-Enterprise/Seeking-Solutions-for-Forwarding-Splunk-Metadata-to-Third-Party/m-p/745932#M22230 <P>See my response in your other thread.</P> Mon, 12 May 2025 06:24:03 GMT PickleRick 2025-05-12T06:24:03Z https://community.splunk.com/t5/Splunk-Enterprise/Seeking-Solutions-for-Forwarding-Splunk-Metadata-to-Third-Party/m-p/745926#M22227 <P>I want to forward logs to a third-party system over HTTP, but I found in the Splunk documentation that forwarding logs to third-party systems is typically done over TCP. I tried using TCP, but I did not receive Splunk metadata like<SPAN>&nbsp;</SPAN>host,<SPAN>&nbsp;</SPAN>sourcetype,<SPAN>&nbsp;</SPAN>source, and<SPAN>&nbsp;</SPAN>index<SPAN>&nbsp;</SPAN>on the third-party system.</P><P>Is it possible to forward logs with metadata to a third-party system over HTTP? If not, how can I get Splunk metadata over TCP? Can anyone suggest a solution?<BR /><BR /><BR /><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/149">@splunk</a>&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/193662">@splunkent2</a>&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/276838">@Splunk9</a>&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/276851">@msplunk</a>&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/72423">@splunk0</a>&nbsp;</P> Mon, 12 May 2025 05:20:12 GMT https://community.splunk.com/t5/Splunk-Enterprise/Seeking-Solutions-for-Forwarding-Splunk-Metadata-to-Third-Party/m-p/745926#M22227 sudha_krish 2025-05-12T05:20:12Z https://community.splunk.com/t5/Splunk-Enterprise/Seeking-Solutions-for-Forwarding-Splunk-Metadata-to-Third-Party/m-p/745930#M22228 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/308717">@sudha_krish</a>&nbsp;</P><DIV><SPAN class=""><SPAN class="">Splunk forwarders (Universal or Heavy) send only </SPAN></SPAN><SPAN class=""><SPAN class=""><SPAN class="">raw event data</SPAN></SPAN></SPAN><SPAN class=""><SPAN class=""> to non-Splunk systems over TCP or syslog by default, as outlined in the Splunk documentation. Metadata such as </SPAN></SPAN><SPAN class=""><SPAN class="">host</SPAN></SPAN><SPAN class=""><SPAN class="">, </SPAN></SPAN><SPAN class=""><SPAN class="">sourcetype</SPAN></SPAN><SPAN class=""><SPAN class="">, </SPAN></SPAN><SPAN class=""><SPAN class="">source</SPAN></SPAN><SPAN class=""><SPAN class="">, and </SPAN></SPAN><SPAN class=""><SPAN class="">index</SPAN></SPAN><SPAN class=""><SPAN class=""> is internal to Splunk and not included in the raw event payload.&nbsp;</SPAN></SPAN></DIV><DIV>&nbsp;</DIV><DIV><DIV><SPAN class=""><SPAN class="">To forward logs with metadata over HTTP reliably, tools like </SPAN></SPAN><SPAN class=""><SPAN class=""><SPAN class="">Cribl Stream</SPAN></SPAN></SPAN> <SPAN class=""><SPAN class="">are commonly used. These tools can intercept Splunk data, enrich it with metadata, and send it to third-party systems via HTTP.&nbsp;</SPAN></SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN class=""><SPAN class=""><SPAN>Cribl (</SPAN><A href="https://cribl.io/" target="_blank" rel="nofollow noopener noreferrer">https://cribl.io/</A><SPAN>) allows you to route events to multiple systems but maintain full metadata. In addition, you can be very selective about what goes where and you can reshape and enrich events as they're moving.</SPAN></SPAN></SPAN></DIV></DIV> Mon, 12 May 2025 06:15:29 GMT https://community.splunk.com/t5/Splunk-Enterprise/Seeking-Solutions-for-Forwarding-Splunk-Metadata-to-Third-Party/m-p/745930#M22228 kiran_panchavat 2025-05-12T06:15:29Z https://community.splunk.com/t5/Splunk-Enterprise/Seeking-Solutions-for-Forwarding-Splunk-Metadata-to-Third-Party/m-p/745931#M22229 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/308717">@sudha_krish</a>&nbsp;</P><P>Sending out over HTTP does not use an open HTTP standard/API - it uses Splunk2Splunk protocol wrapped in HTTP, so therefore it is only supported for sending to other Splunk systems.&nbsp;</P><P>If you want to send data to a non-Splunk system you can look at the syslog forwarding, however this sends the raw events before they are parsed.</P><P>For more information on sending to external systems please check out&nbsp;<A href="https://docs.splunk.com/Documentation/SplunkCloud/latest/Forwarding/Forwarddatatothird-partysystemsd" target="_blank">https://docs.splunk.com/Documentation/SplunkCloud/latest/Forwarding/Forwarddatatothird-partysystemsd</A></P><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Mon, 12 May 2025 06:22:10 GMT https://community.splunk.com/t5/Splunk-Enterprise/Seeking-Solutions-for-Forwarding-Splunk-Metadata-to-Third-Party/m-p/745931#M22229 livehybrid 2025-05-12T06:22:10Z https://community.splunk.com/t5/Splunk-Enterprise/Seeking-Solutions-for-Forwarding-Splunk-Metadata-to-Third-Party/m-p/745932#M22230 <P>See my response in your other thread.</P> Mon, 12 May 2025 06:24:03 GMT https://community.splunk.com/t5/Splunk-Enterprise/Seeking-Solutions-for-Forwarding-Splunk-Metadata-to-Third-Party/m-p/745932#M22230 PickleRick 2025-05-12T06:24:03Z