https://community.splunk.com/t5/Splunk-Enterprise/Forwarder-send-data-to-http-event-collector/m-p/342192#M6683 <P>You can send <CODE>S2S</CODE> (splunk-to-splunk) over any port that you like so what I would do is just use this, but use your preferred port instead of the default of <CODE>9997</CODE>:</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/Forwardmasterdata">https://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/Forwardmasterdata</A><BR /> I am assuming that when you say "splunk instance" that you mean "splunk indexer" but if you just mean "splunk forwarder" then again, you can do the same thing in <CODE>outputs.conf</CODE> but you will also have to do a similar thing in <CODE>inputs.conf</CODE> for your receiving Splunk indexers to receive it.</P> Tue, 13 Jun 2017 11:45:51 GMT woodcock 2017-06-13T11:45:51Z https://community.splunk.com/t5/Splunk-Enterprise/Forwarder-send-data-to-http-event-collector/m-p/342189#M6680 <P>Hi,</P> <P>we would like to forward all data from a splunk instance in the "cloud" to an on-premise http event collector. Is there a way of doing this? </P> <P>cheers,<BR /> Andy</P> Mon, 12 Jun 2017 06:57:11 GMT https://community.splunk.com/t5/Splunk-Enterprise/Forwarder-send-data-to-http-event-collector/m-p/342189#M6680 kochera 2017-06-12T06:57:11Z https://community.splunk.com/t5/Splunk-Enterprise/Forwarder-send-data-to-http-event-collector/m-p/342190#M6681 <P>If you wanted to send to HEC, you'd basically have to export the search results to file, and then post those to the HEC endpoint. </P> <P>If you're sending Splunk-2-Splunk, why are you wanting to use HEC? You can add and outputs on one of your "Cloud Instances" that points to your on-premise Splunk, and selectively forward data.. Check out the Routing and Filtering of data : <A href="http://docs.splunk.com/Documentation/Splunk/6.6.1/Forwarding/Routeandfilterdatad">http://docs.splunk.com/Documentation/Splunk/6.6.1/Forwarding/Routeandfilterdatad</A></P> Mon, 12 Jun 2017 07:32:15 GMT https://community.splunk.com/t5/Splunk-Enterprise/Forwarder-send-data-to-http-event-collector/m-p/342190#M6681 esix_splunk 2017-06-12T07:32:15Z https://community.splunk.com/t5/Splunk-Enterprise/Forwarder-send-data-to-http-event-collector/m-p/342191#M6682 <P>Hi, <BR /> the reason why we want to use HEC is that we don't want to open additonal tcp ports towards our on-premise Splunk instance.</P> <P>cheers,<BR /> Andy</P> Mon, 12 Jun 2017 07:46:26 GMT https://community.splunk.com/t5/Splunk-Enterprise/Forwarder-send-data-to-http-event-collector/m-p/342191#M6682 kochera 2017-06-12T07:46:26Z https://community.splunk.com/t5/Splunk-Enterprise/Forwarder-send-data-to-http-event-collector/m-p/342192#M6683 <P>You can send <CODE>S2S</CODE> (splunk-to-splunk) over any port that you like so what I would do is just use this, but use your preferred port instead of the default of <CODE>9997</CODE>:</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/Forwardmasterdata">https://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/Forwardmasterdata</A><BR /> I am assuming that when you say "splunk instance" that you mean "splunk indexer" but if you just mean "splunk forwarder" then again, you can do the same thing in <CODE>outputs.conf</CODE> but you will also have to do a similar thing in <CODE>inputs.conf</CODE> for your receiving Splunk indexers to receive it.</P> Tue, 13 Jun 2017 11:45:51 GMT https://community.splunk.com/t5/Splunk-Enterprise/Forwarder-send-data-to-http-event-collector/m-p/342192#M6683 woodcock 2017-06-13T11:45:51Z https://community.splunk.com/t5/Splunk-Enterprise/Forwarder-send-data-to-http-event-collector/m-p/342193#M6684 <P>Hi, <BR /> we already have a HEC up and running and this is the only service we want to expose.</P> <P>cheers,<BR /> Andy</P> Tue, 13 Jun 2017 11:58:25 GMT https://community.splunk.com/t5/Splunk-Enterprise/Forwarder-send-data-to-http-event-collector/m-p/342193#M6684 kochera 2017-06-13T11:58:25Z