topic Re: Forward Data to a third-party system in Getting Data In

Forward Data to a third-party system

shangshin — Wed, 14 Nov 2012 18:40:52 GMT

Hi,
I am using SplunkForwarder to forward data to a non-splunk system by adding the stanza below in outputs.conf.

To verify this, I log onto the server (e.g. 10.1.1.35) and run a unix command lsof | grep 6996

However, I don't see anything returned. Is there anything I miss? Thanks in advance!

[tcpout:fastlane]
server = 10.1.1.35:6996
sendCookedData = false

Re: Forward Data to a third-party system

alacercogitatus — Wed, 14 Nov 2012 18:55:32 GMT

Please post the props and transforms for the sourcetype "fastlane".

Re: Forward Data to a third-party system

shangshin — Mon, 28 Sep 2020 12:48:24 GMT

It's empty in props and transforms since I want to send all the data from this splunkforwarder.

However, I do have the stanza in inputs.conf

[monitor:///local/0/access.log]
host = myremosthost
sourcetype = fastlane
index = apache_access_log
disabled = 0

Re: Forward Data to a third-party system

alacercogitatus — Wed, 14 Nov 2012 19:16:04 GMT

Ok, so you will need to add this information into props and transforms. A quick reboot, and you should be set.

props.conf [fastlane] TRANSFORMS-forward = fastlaneTcpOut

transforms.conf [fastlaneTcpOut] REGEX = . DEST_KEY=_TCP_ROUTING FORMAT=fastlane

Re: Forward Data to a third-party system

shangshin — Wed, 14 Nov 2012 19:26:06 GMT

I just added the information accordingly and restarted the splunkforwarder. I tried to verify on the server of non-splunk system by using lsof | grep 6996 Howeever, nothing returns.

Is there a way to verfiy the raw data is successfully forwarded to the non-splunk system server? Thanks again!

Re: Forward Data to a third-party system

alacercogitatus — Wed, 14 Nov 2012 19:27:07 GMT

Well, what software is receiving this data on the non-splunk system server? Is it listening?

Re: Forward Data to a third-party system

shangshin — Wed, 14 Nov 2012 19:36:06 GMT

I don't use any special software to receive the data on linux but I did try to use linux command nc -l -p 6996 to listen on TCP port 6996

Is there a way to see log from the splunkforwarder for troubleshooting?

Re: Forward Data to a third-party system

alacercogitatus — Wed, 14 Nov 2012 19:39:25 GMT

You can't do this on the splunkforwarder, it has to be done on the indexer because of the use of TRANSFORMS (which is done at index time). Sorry, I missed that earlier.

Re: Forward Data to a third-party system

shangshin — Wed, 14 Nov 2012 20:12:58 GMT

Do you mean I have to run this on the splunk server, the one that receives data from the splunkforwarder?

I am confused because the document says
Splunk forwarders can forward raw data to non-Splunk systems.
http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Forwarddatatothird-partysystemsd

Re: Forward Data to a third-party system

alacercogitatus — Wed, 14 Nov 2012 20:15:57 GMT

Yes. There used to be such a thing as a "Heavy Forwarder", which will in fact do the third party output. However, the UniversalForwarder (which I assumed you were using, I should have asked) will not support that. Relevant part: you can configure a heavy forwarder to route data conditionally to third-party systems.

What is your current version of Splunk? Are you using a Universal Forwarder?

Re: Forward Data to a third-party system

shangshin — Wed, 14 Nov 2012 20:26:34 GMT

My splunk version is Splunk 4.3.1 (build 119532)

On the remote server, I am using Splunk Universal Forwarder 4.3.4 (build 136012)

So to do the third party output, do I need to install "Heavy Forwarder" on the splunk server?

Re: Forward Data to a third-party system

alacercogitatus — Wed, 14 Nov 2012 20:31:02 GMT

Nope, a "Heavy Forwarder" was basically an indexer that sent cooked data to the main indexers. You couldn't search a heavy forwarder, all the data was on the indexer. You will want to place the outputs.conf, props.conf, transforms.conf stanzas onto your Splunk Indexer(s).

Re: Forward Data to a third-party system

shangshin — Mon, 28 Sep 2020 12:48:49 GMT

YES, it's working on the "Heavy Forwarder".
One last question -- How can I limit the data to certain sourcetype only e.g. my_apache_access? Will this work? Thanks again!

In props.conf
[sourcetype::my_apache_access]
TRANSFORMS-nyc = apachelog

In transforms.conf
[apachelog]
REGEX = .
DEST_KEY=_TCP_ROUTING
FORMAT=apachelogreader

In outputs.conf
[tcpout:apachelogreader]
server=10.1.1.197:7999
sendCookedData=false

Re: Forward Data to a third-party system

alacercogitatus — Thu, 15 Nov 2012 16:22:34 GMT

In your props.conf the stanza is the sourcetype so the way you have it won't work, just remove the sourcetype:: and you should be all set.

Re: Forward Data to a third-party system

shangshin — Mon, 28 Sep 2020 12:48:52 GMT

updated props.conf as
[my_apache_access]
TRANSFORMS-routing = apachelog

Unfortunately, I still see all sourcetypes sending over TCP.
Should I place the updated files in local or default?
splunk/etc/system/local or splunk/etc/system/default

It shouldn't matter but jsut can't find out what's the right solution.

Re: Forward Data to a third-party system

shangshin — Thu, 15 Nov 2012 19:02:41 GMT

BTW, If I place all 3 config files at /splunk/etc/apps/SplunkForwarder/default, there will be no data sending out from the "heavy forwarder"

Re: Forward Data to a third-party system

alacercogitatus — Thu, 15 Nov 2012 19:14:39 GMT

I would place them in /splunk/etc/system/local. If you see other sourcetypes you may want to find /splunk/etc -name "outputs.conf and make sure nothing else is configured.

Re: Forward Data to a third-party system

saifuddin9122 — Tue, 26 Jul 2016 20:56:33 GMT

hello

i am in the same situation you faced. i am trying to forward the data from splunk (indexer) to non-splunk system.

at present as a non-splunk system am using a linux machine.
can you please help me how exactly i should achieve the goal

Re: Forward Data to a third-party system

vnguyen46 — Mon, 18 May 2020 16:27:41 GMT

in outputs.conf, don't forget to add [tcpout] on top if it is not already there - like when you create a fresh new file.

Thanks,

Re: Forward Data to a third-party system

acfecondo75 — Wed, 30 Sep 2020 05:27:58 GMT

On a universal forwarder, in outputs.conf, you can change the defaultGroup to determine where ALL data is routed to by default.

outputs.conf:

[tcpout:third_party]
server=<ip>:<port>
sendCookedData=false

[tcpout]
defaultGroup=third_party

You can also define multiple server groups and put a comma separated list of them for your defaultGroup if you want to send data to multiple. This way you could send the data to Splunk and the third party.

[tcpout:third_party]
server=<ip>:<port>
sendCookedData=false

[tcpout:splunk_idx]
server=<ip>:<port>

[tcpout]
defaultGroup=third_party, splunk_idx

For reference, defaultGroup is the default setting for the _TCP_ROUTING key that you manipulate via props and transforms on the HF to do this kind of routing on a source, host, or sourcetype basis.

If you send the data to a HF or convert the box to a full splunk install, you can route via props and transforms. Similar to how you can specify multiple dests with the previous example, you can do that on the HF if you want too by specifying a comma separated list of dests in the FORMAT attribute.