https://community.splunk.com/t5/Getting-Data-In/How-to-forwarded-logs-from-Splunk-to-MCAS/m-p/460146#M79442 <P>Thanks a lot </P> Wed, 20 May 2020 06:26:38 GMT rayar 2020-05-20T06:26:38Z https://community.splunk.com/t5/Getting-Data-In/How-to-forwarded-logs-from-Splunk-to-MCAS/m-p/460138#M79434 <P>Hi</P> <P>What will be the best way to implement the below request ?</P> <P>We need to configure the some logs to be forwarded from Splunk to MCAS Server (Server in the same network like Splunk server )<BR /> Logs should be forwarded in Syslog or FTP and based on a specific query </P> Tue, 19 May 2020 13:11:50 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-forwarded-logs-from-Splunk-to-MCAS/m-p/460138#M79434 rayar 2020-05-19T13:11:50Z https://community.splunk.com/t5/Getting-Data-In/How-to-forwarded-logs-from-Splunk-to-MCAS/m-p/460139#M79435 <P>See the docs at <A href="https://docs.splunk.com/Documentation/Splunk/8.0.3/Forwarding/Forwarddatatothird-partysystemsd">https://docs.splunk.com/Documentation/Splunk/8.0.3/Forwarding/Forwarddatatothird-partysystemsd</A> . While some filtering is possible, you cannot forward the results of a query.</P> Tue, 19 May 2020 13:45:49 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-forwarded-logs-from-Splunk-to-MCAS/m-p/460139#M79435 richgalloway 2020-05-19T13:45:49Z https://community.splunk.com/t5/Getting-Data-In/How-to-forwarded-logs-from-Splunk-to-MCAS/m-p/460140#M79436 <P>Hi<BR /> I am getting "Hi! This page does not exist, or has been removed from the Documentation."<BR /> so is there another way to send search results to external system ?</P> Tue, 19 May 2020 13:48:24 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-forwarded-logs-from-Splunk-to-MCAS/m-p/460140#M79436 rayar 2020-05-19T13:48:24Z https://community.splunk.com/t5/Getting-Data-In/How-to-forwarded-logs-from-Splunk-to-MCAS/m-p/460141#M79437 <P>Splunk didn't like the period at the end of the sentence. Try the revised answer.</P> Tue, 19 May 2020 14:06:48 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-forwarded-logs-from-Splunk-to-MCAS/m-p/460141#M79437 richgalloway 2020-05-19T14:06:48Z https://community.splunk.com/t5/Getting-Data-In/How-to-forwarded-logs-from-Splunk-to-MCAS/m-p/460142#M79438 <P>thanks , I was able to open the doc </P> <P>so there is no way to sent the results of such query to external system ?</P> <P>index=websense AND act="Permitted"<BR /> | fields _time, suser, src, dst, act, request, in, out<BR /> | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(_time) as Time<BR /> | table Time, suser, src, dst, act, request, in, out </P> Wed, 30 Sep 2020 05:30:44 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-forwarded-logs-from-Splunk-to-MCAS/m-p/460142#M79438 rayar 2020-09-30T05:30:44Z https://community.splunk.com/t5/Getting-Data-In/How-to-forwarded-logs-from-Splunk-to-MCAS/m-p/460143#M79439 <P>No straightforward way. You could schedule a report that saves query results in a CSV file and use a cron job to ship that file to another system.</P> Tue, 19 May 2020 14:30:16 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-forwarded-logs-from-Splunk-to-MCAS/m-p/460143#M79439 richgalloway 2020-05-19T14:30:16Z https://community.splunk.com/t5/Getting-Data-In/How-to-forwarded-logs-from-Splunk-to-MCAS/m-p/460144#M79440 <P>and if I want to send in CEF format to the MCAS server <BR /> where I define the target server ? </P> Tue, 19 May 2020 14:45:33 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-forwarded-logs-from-Splunk-to-MCAS/m-p/460144#M79440 rayar 2020-05-19T14:45:33Z https://community.splunk.com/t5/Getting-Data-In/How-to-forwarded-logs-from-Splunk-to-MCAS/m-p/460145#M79441 <P>Your cron job could invoke a Python script that does the conversion. The target server could be in the script or an external configurable.</P> Tue, 19 May 2020 16:41:00 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-forwarded-logs-from-Splunk-to-MCAS/m-p/460145#M79441 richgalloway 2020-05-19T16:41:00Z https://community.splunk.com/t5/Getting-Data-In/How-to-forwarded-logs-from-Splunk-to-MCAS/m-p/460146#M79442 <P>Thanks a lot </P> Wed, 20 May 2020 06:26:38 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-forwarded-logs-from-Splunk-to-MCAS/m-p/460146#M79442 rayar 2020-05-20T06:26:38Z