https://community.splunk.com/t5/Getting-Data-In/splunk-tcp-output-format/m-p/75775#M15464 <P>if I wanted to write a receiver for splunk data (i.e. have my index server(s) forward data via tcpout in the outputs.conf), is the format for splunk2splunk traffic published anywhere?</P> <P>I know it seems like an obscure need, but nonetheless, I've got it. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Thanks Steve</P> Sat, 23 Oct 2010 00:41:23 GMT Steve_Litras 2010-10-23T00:41:23Z https://community.splunk.com/t5/Getting-Data-In/splunk-tcp-output-format/m-p/75775#M15464 <P>if I wanted to write a receiver for splunk data (i.e. have my index server(s) forward data via tcpout in the outputs.conf), is the format for splunk2splunk traffic published anywhere?</P> <P>I know it seems like an obscure need, but nonetheless, I've got it. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Thanks Steve</P> Sat, 23 Oct 2010 00:41:23 GMT https://community.splunk.com/t5/Getting-Data-In/splunk-tcp-output-format/m-p/75775#M15464 Steve_Litras 2010-10-23T00:41:23Z https://community.splunk.com/t5/Getting-Data-In/splunk-tcp-output-format/m-p/75776#M15465 <P>Why not just sending out syslog? Consuming this should be quite easy.</P> Sat, 23 Oct 2010 00:58:07 GMT https://community.splunk.com/t5/Getting-Data-In/splunk-tcp-output-format/m-p/75776#M15465 ziegfried 2010-10-23T00:58:07Z https://community.splunk.com/t5/Getting-Data-In/splunk-tcp-output-format/m-p/75777#M15466 <P>The problem with the syslog output is that it just dumps the raw event, no metadata. I need some of the metadata from the cooked event stream.</P> Sat, 23 Oct 2010 01:37:30 GMT https://community.splunk.com/t5/Getting-Data-In/splunk-tcp-output-format/m-p/75777#M15466 Steve_Litras 2010-10-23T01:37:30Z https://community.splunk.com/t5/Getting-Data-In/splunk-tcp-output-format/m-p/75778#M15467 <P>Maybe it would be easier to use a script that performs a constant realtime search on the events your're interested in and sends them to the target system.</P> Sat, 23 Oct 2010 01:44:30 GMT https://community.splunk.com/t5/Getting-Data-In/splunk-tcp-output-format/m-p/75778#M15467 ziegfried 2010-10-23T01:44:30Z https://community.splunk.com/t5/Getting-Data-In/splunk-tcp-output-format/m-p/75779#M15468 <P>It's not documented, and probably never will be. If you need event metadata you're probably best off with the realtime search suggestion above -- that way you have control about exactly what fields you get.</P> Sat, 23 Oct 2010 07:33:16 GMT https://community.splunk.com/t5/Getting-Data-In/splunk-tcp-output-format/m-p/75779#M15468 mitch_1 2010-10-23T07:33:16Z https://community.splunk.com/t5/Getting-Data-In/splunk-tcp-output-format/m-p/75780#M15469 <P>It doesn't look like a tremendously complex protocol. You can always fire up a netcat listener, dump everything to a file, and take a peek.</P> <P>Of course, there's no guarantee that it won't get changed in the next release of Splunk. Looks like the format is already on version 2.</P> Sat, 23 Oct 2010 08:28:37 GMT https://community.splunk.com/t5/Getting-Data-In/splunk-tcp-output-format/m-p/75780#M15469 southeringtonp 2010-10-23T08:28:37Z