https://community.splunk.com/t5/Getting-Data-In/getting-access-to-raw-events-on-forwarders/m-p/62348#M12457 <P>Our application requires access to raw events on light forwarders to do some custome processing before (or at the same time) as the events get passed to central indexer. Is there any way to <EM>tee</EM> the even stream on forwarder to split the stream into two destinations - the splunk indexer AND our separate processor? If so, is it possible for us to get some kind of the ID that is (will be) assigned to the current event so our database can have a reference to the original even as it is being added to the database? </P> Thu, 13 Dec 2012 13:11:34 GMT ViewPoint 2012-12-13T13:11:34Z https://community.splunk.com/t5/Getting-Data-In/getting-access-to-raw-events-on-forwarders/m-p/62348#M12457 <P>Our application requires access to raw events on light forwarders to do some custome processing before (or at the same time) as the events get passed to central indexer. Is there any way to <EM>tee</EM> the even stream on forwarder to split the stream into two destinations - the splunk indexer AND our separate processor? If so, is it possible for us to get some kind of the ID that is (will be) assigned to the current event so our database can have a reference to the original even as it is being added to the database? </P> Thu, 13 Dec 2012 13:11:34 GMT https://community.splunk.com/t5/Getting-Data-In/getting-access-to-raw-events-on-forwarders/m-p/62348#M12457 ViewPoint 2012-12-13T13:11:34Z https://community.splunk.com/t5/Getting-Data-In/getting-access-to-raw-events-on-forwarders/m-p/62349#M12458 <P>The lightweight and universal forwarder do not parse the events.<BR /> If you want to use splunk to process the events, use an heavy forwarder with props and transforms.</P> <P>Beware the data will be parsed when send to the indexer who will not parse then twice, so make sure that your heavy forwarder as all the rules that you also apply on the indexers.</P> <P>see <A href="http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Deployaforwarder">http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Deployaforwarder</A></P> Thu, 13 Dec 2012 16:47:09 GMT https://community.splunk.com/t5/Getting-Data-In/getting-access-to-raw-events-on-forwarders/m-p/62349#M12458 yannK 2012-12-13T16:47:09Z https://community.splunk.com/t5/Getting-Data-In/getting-access-to-raw-events-on-forwarders/m-p/62350#M12459 <P>About your double processing (in splunk and in your database) <BR /> You can send a copy of some events to a third party system as raw or syslog.<BR /> see <A href="http://docs.splunk.com/Documentation/Splunk/5.0.1/Deploy/Forwarddatatothird-partysystemsd">http://docs.splunk.com/Documentation/Splunk/5.0.1/Deploy/Forwarddatatothird-partysystemsd</A></P> <P>For the unique ID to identify the same events in splunk kand in the third party system, this requires that you added the unique id yourself to your events. (probably in the original log before the indexing)</P> Thu, 13 Dec 2012 16:50:13 GMT https://community.splunk.com/t5/Getting-Data-In/getting-access-to-raw-events-on-forwarders/m-p/62350#M12459 yannK 2012-12-13T16:50:13Z https://community.splunk.com/t5/Getting-Data-In/getting-access-to-raw-events-on-forwarders/m-p/62351#M12460 <P>It is possible to forward raw data to third party servers by configuring <CODE>$SPLUNK_FORWARDER_HOME/etc/system/local/outputs.conf</CODE> on the forwarder instance in this manner:</P> <PRE><CODE>[tcpout] [tcpout:fastlane] server = 10.1.1.35:6996 sendCookedData = false </CODE></PRE> <P>The last line prevents the data from being prepended with additional timestamps.</P> <P>Source: <A href="http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Forwarddatatothird-partysystemsd">http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Forwarddatatothird-partysystemsd</A></P> <P>Note: <CODE>$SPLUNK_FORWARDER_HOME</CODE> is <CODE>/opt/splunkforwarder</CODE> for a typical Linux installation.</P> Wed, 13 Feb 2013 09:24:22 GMT https://community.splunk.com/t5/Getting-Data-In/getting-access-to-raw-events-on-forwarders/m-p/62351#M12460 MikhailArefiev 2013-02-13T09:24:22Z