<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Using Splunk UF to send data to ELK in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Using-Splunk-UF-to-send-data-to-ELK/m-p/750724#M119263</link>
    <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/308546"&gt;@Na_Kang_Lim&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;You will also need to update the&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;defaultGroup=my_indexer_cluster&lt;/LI-CODE&gt;&lt;P&gt;to&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;defaultGroup=my_indexer_cluster,elk_server&lt;/LI-CODE&gt;&lt;P&gt;so that it sends to both. The reason that you are getting the metrics is that some inputs.conf such as splunk.version monitor stanza has "_TCP_ROUTING = *" which sends to all output groups.&lt;/P&gt;&lt;P&gt;You will need to either make the change in the app where the defaultGroup is already defined, or push it out through another app which has a higher &lt;A href="https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Wheretofindtheconfigurationfiles" target="_self"&gt;order of precedence&lt;/A&gt;. It might be easiest to change this in the existing app if possible.&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;span class="lia-unicode-emoji" title=":glowing_star:"&gt;🌟&lt;/span&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;Did this answer help you?&lt;/STRONG&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;If so, please consider:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Adding karma to show it was useful&lt;/LI&gt;&lt;LI&gt;Marking it as the solution if it resolved your issue&lt;/LI&gt;&lt;LI&gt;Commenting if you need any clarification&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;Your feedback encourages the volunteers in this community to continue contributing&lt;/P&gt;</description>
    <pubDate>Wed, 30 Jul 2025 08:43:44 GMT</pubDate>
    <dc:creator>livehybrid</dc:creator>
    <dc:date>2025-07-30T08:43:44Z</dc:date>
    <item>
      <title>Using Splunk UF to send data to ELK</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Using-Splunk-UF-to-send-data-to-ELK/m-p/750721#M119262</link>
      <description>&lt;P&gt;Hi, as the question suggest, I am trying to send 2 streams of logs.&lt;/P&gt;&lt;P&gt;From the document&amp;nbsp;&lt;A href="https://docs.splunk.com/Documentation/Splunk/9.4.2/Forwarding/Forwarddatatothird-partysystemsd" target="_blank"&gt;Forward data to third-party systems - Splunk Documentation&lt;/A&gt;&amp;nbsp;I know there are 2 limitations:&lt;BR /&gt;- I can only send raw data&lt;/P&gt;&lt;P&gt;- I cannot filter only the data I want&lt;/P&gt;&lt;P&gt;So sending all data is OK for me.&lt;/P&gt;&lt;P&gt;Currently, my UF have this app called INDEXER_OUTPUT. Which in its default/outputs.conf have these configs:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[tcpout]
defaultGroup=my_indexer_cluster
autoLBFrequency=300

[tcpout:my_indexer_cluster]
server=&amp;lt;indexer_01_ip&amp;gt;:9997,&amp;lt;indexer_02_ip&amp;gt;:9997,&amp;lt;indexer_03_ip&amp;gt;:9997,&amp;lt;indexer_04_ip&amp;gt;:9997

[tcpout-server://&amp;lt;indexer_01_ip&amp;gt;:9997]

[tcpout-server://&amp;lt;indexer_02_ip&amp;gt;:9997]

[tcpout-server://&amp;lt;indexer_03_ip&amp;gt;:9997]

[tcpout-server://&amp;lt;indexer_04_ip&amp;gt;:9997]&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;So what I did was created another server class, with a single app within called ELK_OUTPUT. It also has a single default/outputs.conf file with this config:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[tcpout]

[tcpout:elk_server]
server=&amp;lt;elk_server_ip&amp;gt;:3514
sendCookedData=false&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Upon adding the client to the server class, what I noticed is a weird behavior:&lt;BR /&gt;&lt;STRONG&gt;I only get the metrics.log sent to the ELK server&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;What I am suspecting is that maybe because my [WinEventLog://Security] input stanza contains "renderXML = true" and "evt_resolve_ad_obj = 1", so that it no longer considered as "raw data"?&lt;/P&gt;</description>
      <pubDate>Wed, 30 Jul 2025 08:26:06 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Using-Splunk-UF-to-send-data-to-ELK/m-p/750721#M119262</guid>
      <dc:creator>Na_Kang_Lim</dc:creator>
      <dc:date>2025-07-30T08:26:06Z</dc:date>
    </item>
    <item>
      <title>Re: Using Splunk UF to send data to ELK</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Using-Splunk-UF-to-send-data-to-ELK/m-p/750724#M119263</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/308546"&gt;@Na_Kang_Lim&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;You will also need to update the&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;defaultGroup=my_indexer_cluster&lt;/LI-CODE&gt;&lt;P&gt;to&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;defaultGroup=my_indexer_cluster,elk_server&lt;/LI-CODE&gt;&lt;P&gt;so that it sends to both. The reason that you are getting the metrics is that some inputs.conf such as splunk.version monitor stanza has "_TCP_ROUTING = *" which sends to all output groups.&lt;/P&gt;&lt;P&gt;You will need to either make the change in the app where the defaultGroup is already defined, or push it out through another app which has a higher &lt;A href="https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Wheretofindtheconfigurationfiles" target="_self"&gt;order of precedence&lt;/A&gt;. It might be easiest to change this in the existing app if possible.&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;span class="lia-unicode-emoji" title=":glowing_star:"&gt;🌟&lt;/span&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;Did this answer help you?&lt;/STRONG&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;If so, please consider:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Adding karma to show it was useful&lt;/LI&gt;&lt;LI&gt;Marking it as the solution if it resolved your issue&lt;/LI&gt;&lt;LI&gt;Commenting if you need any clarification&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;Your feedback encourages the volunteers in this community to continue contributing&lt;/P&gt;</description>
      <pubDate>Wed, 30 Jul 2025 08:43:44 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Using-Splunk-UF-to-send-data-to-ELK/m-p/750724#M119263</guid>
      <dc:creator>livehybrid</dc:creator>
      <dc:date>2025-07-30T08:43:44Z</dc:date>
    </item>
  </channel>
</rss>

