https://community.splunk.com/t5/Getting-Data-In/splunk-forwarder/m-p/14777#M1545 <P>I am planning to integrate Splunk data with MARS, would the cloning option work for Non-Splunk receiver as well? Or is it possible I could clone the data bein forwarded to its own Syslog, I can pull events from syslog accordingly....</P> Thu, 03 Jun 2010 05:08:48 GMT heterodyned 2010-06-03T05:08:48Z https://community.splunk.com/t5/Getting-Data-In/splunk-forwarder/m-p/14777#M1545 <P>I am planning to integrate Splunk data with MARS, would the cloning option work for Non-Splunk receiver as well? Or is it possible I could clone the data bein forwarded to its own Syslog, I can pull events from syslog accordingly....</P> Thu, 03 Jun 2010 05:08:48 GMT https://community.splunk.com/t5/Getting-Data-In/splunk-forwarder/m-p/14777#M1545 heterodyned 2010-06-03T05:08:48Z https://community.splunk.com/t5/Getting-Data-In/splunk-forwarder/m-p/14778#M1546 <P>I'm not sure you can use native Splunk forwarding to clone data to a MARS device. If MARS can accept the data via a TCP stream (rather than UDP) and you want to send all data to MARS than you will need to turn off 'cooked data'. (by default, The forwarder mechanism expects a Splunk server on the other end). Either way I think what you are looking for can be found at: </P> <P><A href="http://www.splunk.com/base/Documentation/4.1.2/Admin/Forwarddatatothird-partysystems" rel="nofollow">http://www.splunk.com/base/Documentation/4.1.2/Admin/Forwarddatatothird-partysystems</A> </P> Thu, 03 Jun 2010 05:15:54 GMT https://community.splunk.com/t5/Getting-Data-In/splunk-forwarder/m-p/14778#M1546 dskillman 2010-06-03T05:15:54Z https://community.splunk.com/t5/Getting-Data-In/splunk-forwarder/m-p/14779#M1547 <P>Is it possible otherwise, if the splunkforwarder can send syslog events to itself?? I wasnt able to configure MARS to accept tcp/udp connections on the fly with splunkforwarder....</P> Thu, 03 Jun 2010 07:17:49 GMT https://community.splunk.com/t5/Getting-Data-In/splunk-forwarder/m-p/14779#M1547 heterodyned 2010-06-03T07:17:49Z https://community.splunk.com/t5/Getting-Data-In/splunk-forwarder/m-p/14780#M1548 <P>Not sure what you're trying to accomplish. What is the SplunkForwarder collecting? Is it getting data sent to it? Or are you tailing files? What data do you want sent to MARS?</P> Fri, 04 Jun 2010 00:14:07 GMT https://community.splunk.com/t5/Getting-Data-In/splunk-forwarder/m-p/14780#M1548 dskillman 2010-06-04T00:14:07Z https://community.splunk.com/t5/Getting-Data-In/splunk-forwarder/m-p/14781#M1549 <P>I was trying to forward syslog events collectively from Splunk Forwarder to Cisco MARS, MARS requires individually configuring all the linux boxes to MARS, where as splunk is already configured to receive these syslog messages, I was jus trying to route that data to MARS ....I guess I shouldnt be doing it there is a basic compatibitility issue between these two application/device</P> Mon, 07 Jun 2010 06:57:35 GMT https://community.splunk.com/t5/Getting-Data-In/splunk-forwarder/m-p/14781#M1549 heterodyned 2010-06-07T06:57:35Z https://community.splunk.com/t5/Getting-Data-In/splunk-forwarder/m-p/14782#M1550 <P>You can forward data to cloned targets, where targets can be either splunk instance or a device receiving TCP stream. In addition, you can also forward data to syslog target as well.</P> <P>The following configuration should enable cloning as well as forwarding via syslog. Set the following in outputs.conf:</P> <PRE> [tcpout] defaultGroup = group1, group2 # Clone data to group1 and group2 [tcpout:group1] server = indexer1:9997 [tcpout:group2] server = indexer2:9997 sendCookedData = false # Send raw TCP data(logs read by splunk) # Define syslog to send data to syslog target [syslog] defaultgroup = syslogGroup1 [syslog:syslogGroup1] server = syslogServer:514 # This prevents local indexing. To enable indexing, set index = true [indexAndForward] index = false </PRE> Fri, 25 Jun 2010 03:35:44 GMT https://community.splunk.com/t5/Getting-Data-In/splunk-forwarder/m-p/14782#M1550 Jag 2010-06-25T03:35:44Z