https://community.splunk.com/t5/Getting-Data-In/What-are-other-options-for-getting-data-into-Splunk-without-a/m-p/127292#M26191 <P>Do your antiques speak syslog or a related network-based protocol?</P> Wed, 19 Nov 2014 20:07:44 GMT martin_mueller 2014-11-19T20:07:44Z https://community.splunk.com/t5/Getting-Data-In/What-are-other-options-for-getting-data-into-Splunk-without-a/m-p/127291#M26190 <P>I have some computing antiques running Unix; I need to monitor some files on them, and get them into Splunk.</P> <P>I read <A href="http://answers.splunk.com/answers/8328/best-practice-for-getting-data-into-splunk-without-a-forwarder.html:">http://answers.splunk.com/answers/8328/best-practice-for-getting-data-into-splunk-without-a-forwarder.html:</A> the "scripted/scheduled-copy-files-to-a-machine-that-does-have-a-forwarder" seems reasonable/doable, and is probably where I'll end up unless I find something better. BUT....</P> <P>One thing I've been mentally toying with is running a (perl?) script to tail the files and ship them via TCP to an indexer listening on a port dedicated to the purpose.</P> <P>I have a hard time believing that we are the first people going down this road; has anyone else done this?</P> <P>has anyone cooked up any solutions other than the ones in <A href="http://answers.splunk.com/answers/8328/best-practice-for-getting-data-into-splunk-without-a-forwarder.html">http://answers.splunk.com/answers/8328/best-practice-for-getting-data-into-splunk-without-a-forwarder.html</A> ?</P> Wed, 19 Nov 2014 19:02:12 GMT https://community.splunk.com/t5/Getting-Data-In/What-are-other-options-for-getting-data-into-Splunk-without-a/m-p/127291#M26190 wegscd 2014-11-19T19:02:12Z https://community.splunk.com/t5/Getting-Data-In/What-are-other-options-for-getting-data-into-Splunk-without-a/m-p/127292#M26191 <P>Do your antiques speak syslog or a related network-based protocol?</P> Wed, 19 Nov 2014 20:07:44 GMT https://community.splunk.com/t5/Getting-Data-In/What-are-other-options-for-getting-data-into-Splunk-without-a/m-p/127292#M26191 martin_mueller 2014-11-19T20:07:44Z https://community.splunk.com/t5/Getting-Data-In/What-are-other-options-for-getting-data-into-Splunk-without-a/m-p/127293#M26192 <P>the antiques do speak syslog, but do not have a syslog daemon available that allows one to send files via the syslog protocol.</P> Wed, 19 Nov 2014 20:58:23 GMT https://community.splunk.com/t5/Getting-Data-In/What-are-other-options-for-getting-data-into-Splunk-without-a/m-p/127293#M26192 wegscd 2014-11-19T20:58:23Z https://community.splunk.com/t5/Getting-Data-In/What-are-other-options-for-getting-data-into-Splunk-without-a/m-p/127294#M26193 <P>Don't forget that Splunk can be used as a Syslog server: <A href="http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/SyslogTCP">http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/SyslogTCP</A><BR /> <EM>(if your Splunk is not running as Root, just use iptables to redirect the TCP/514 and UDP/514 portd to the Splunk listening port)</EM></P> <P>Anyway, if you dislike the option above, do you have netcat available on the servers? Even if not, you might be able to easily compile and drop the binary on the servers: <A href="http://docs.splunk.com/Documentation/Storm/Storm/User/Howtoforwarddatavianetcat">http://docs.splunk.com/Documentation/Storm/Storm/User/Howtoforwarddatavianetcat</A><BR /> You could simply use with tail as the example above or create a smarter script that runs every X seconds and sends only the deltas.</P> <P>Well, I still would prefer to spend the time deploying a proper syslog deamon and use it, nothing complicated. You might find out other things you could be sending to that syslog server in the future to justify the effort.</P> Wed, 19 Nov 2014 21:56:49 GMT https://community.splunk.com/t5/Getting-Data-In/What-are-other-options-for-getting-data-into-Splunk-without-a/m-p/127294#M26193 musskopf 2014-11-19T21:56:49Z https://community.splunk.com/t5/Getting-Data-In/What-are-other-options-for-getting-data-into-Splunk-without-a/m-p/127295#M26194 <P>Ah. What kind of antique are we talking about?</P> Wed, 19 Nov 2014 23:17:07 GMT https://community.splunk.com/t5/Getting-Data-In/What-are-other-options-for-getting-data-into-Splunk-without-a/m-p/127295#M26194 martin_mueller 2014-11-19T23:17:07Z https://community.splunk.com/t5/Getting-Data-In/What-are-other-options-for-getting-data-into-Splunk-without-a/m-p/127296#M26195 <P><IMG src="http://files.cyberciti.biz/uploads/tips/2011/12/unix-pdp11.jpg" alt="Antique Unix Admin" /></P> Wed, 19 Nov 2014 23:21:50 GMT https://community.splunk.com/t5/Getting-Data-In/What-are-other-options-for-getting-data-into-Splunk-without-a/m-p/127296#M26195 musskopf 2014-11-19T23:21:50Z https://community.splunk.com/t5/Getting-Data-In/What-are-other-options-for-getting-data-into-Splunk-without-a/m-p/127297#M26196 <P>The biggest reason I can see for deploying a syslog server that will forward to Splunk is that you will drop lots of syslog packets when you restart a splunk indexer because it takes so much time to restart one, and syslog usually is UDP, so there is no re-try if the send failed because the index server was down.</P> <P>The syslog server running with a forwarder is a good option, if you don't want to use a forwarder. But a forwarder is always better. If your network goes down, a syslog server (or splunk relying on syslog) never gets the data, while the forwarders will always start from the point of disconnect to the present when the network comes back up. No lost data.</P> <P>You can use the REST API to send data to Splunk, but it isn't much different from using a forwarder. We have Cloud Foundry servers that use the REST API because they have more control over the data sent.</P> Wed, 19 Nov 2014 23:22:27 GMT https://community.splunk.com/t5/Getting-Data-In/What-are-other-options-for-getting-data-into-Splunk-without-a/m-p/127297#M26196 cpetterborg 2014-11-19T23:22:27Z https://community.splunk.com/t5/Getting-Data-In/What-are-other-options-for-getting-data-into-Splunk-without-a/m-p/127298#M26197 <P>very old AIX....</P> Mon, 24 Nov 2014 14:07:24 GMT https://community.splunk.com/t5/Getting-Data-In/What-are-other-options-for-getting-data-into-Splunk-without-a/m-p/127298#M26197 wegscd 2014-11-24T14:07:24Z https://community.splunk.com/t5/Getting-Data-In/What-are-other-options-for-getting-data-into-Splunk-without-a/m-p/127299#M26198 <P>the receiving end isn't the issue. the sending end is the issue.</P> <P>netcat or socat can take care of the transport, now the issue is just having a tail-like utility that can persist it's view of where it left off (so we don't double index after a restart)...</P> Mon, 24 Nov 2014 14:09:02 GMT https://community.splunk.com/t5/Getting-Data-In/What-are-other-options-for-getting-data-into-Splunk-without-a/m-p/127299#M26198 wegscd 2014-11-24T14:09:02Z