topic Re: Forwarding data to third party from universal forwarder in Getting Data In

Forwarding data to third party from universal forwarder

jflaherty — Tue, 18 Jul 2017 17:29:42 GMT

Hello,

I currently have some Windows Servers with the Universal Forwarder installed that are sending data to our indexer. I am now in a situation where I need to have the forwarder also send the data to a third party server. According to the documentation, the following in outputs.conf should send all data;

[tcpout]

[tcpout:fastlane]
server = 10.1.1.2:1517
sendCookedData = false

However, I have the third party server getting data but only is receiving "INFO" type logs which appear to be transaction type information from the splunk forwarder program itself and not the actual log data (windows events iis etc.) that I am sending into splunk that I need.

Am I missing something or will the universal forwarder not send that data?

Thanks

Re: Forwarding data to third party from universal forwarder

jflaherty — Tue, 29 Sep 2020 14:58:08 GMT

Figured it out. I need to add the group fastlane to the tcpout default group;

[tcpout]
defaultGroup = default-autolb-group*, fastlane <--- Added*

Thanks

Re: Forwarding data to third party from universal forwarder

mdsnmss — Tue, 18 Jul 2017 19:49:26 GMT

Do you have a props.conf and transforms.conf configured to tell the forwarder what data to send? See: http://docs.splunk.com/Documentation/Splunk/6.6.2/Forwarding/Forwarddatatothird-partysystemsd

In props.conf:

 [<sourcetype/data to send>]
 TRANSFORMS-fastlane = fastlane

In transforms.conf

    [fastlane]
    REGEX = .
    DEST_KEY=_TCP_ROUTING
    FORMAT=fastlane

It might vary a bit for your configuration but the linked docs walk through it pretty well.

Re: Forwarding data to third party from universal forwarder

jflaherty — Tue, 18 Jul 2017 19:53:19 GMT

I saw that in the documentation but it said it was for a heavy forwarder, I am using a Universal Forwarder. I will give it a try and see, it would allow me to separate better than the way I was doing it with the default group. Thansk

Re: Forwarding data to third party from universal forwarder

mdsnmss — Tue, 18 Jul 2017 19:55:34 GMT

Yep, you're right. I believe with a universal forwarder you can forward everything using what you just posted. Using a heavy forwarder you can selectively forward data to the third-party system.

Re: Forwarding data to third party from universal forwarder

chakradhar_maje — Wed, 08 Aug 2018 14:33:36 GMT

How to check the data in third party server

Re: Forwarding data to third party from universal forwarder

deepak453 — Tue, 29 Sep 2020 20:49:56 GMT

Where you have added the below, Is the same in outputs.conf located in local directory? I am really a newbie in splunk, would like to know did you updated below as is.

[tcpout]
defaultGroup = default-autolb-group*, fastlane <--- Added*

Re: Forwarding data to third party from universal forwarder

ddrillic — Thu, 09 Aug 2018 14:30:36 GMT

We do the following -

In outputs.conf we specify multiple tcpout stanzas -

[tcpout:xxxxxx]
....


[tcpout:yyyyyy]
....

If you don't specify anything in inputs.conf all data will be streamed to both directions (or three if you choose to).