https://community.splunk.com/t5/Getting-Data-In/Splunk-integration-with-other-tool/m-p/534774#M89722 <P>Universal Forwarders can send data only to another Splunk instances. You should setup outputs.conf only on indexers or heavy forwarders to forward data to third party. You can select data by using host, source, sourcetype or regex based on data contents.</P> Tue, 05 Jan 2021 11:02:28 GMT scelikok 2021-01-05T11:02:28Z https://community.splunk.com/t5/Getting-Data-In/Splunk-integration-with-other-tool/m-p/534681#M89711 <P>Hello&nbsp;</P><P>I am having a single instance of Splunk enterprise on my environment ,Is there a way to forward the Splunk data to other SIEM product on required basis.</P><P>Could you please help us to provide the details to procedure on this.</P> Mon, 04 Jan 2021 11:56:44 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-integration-with-other-tool/m-p/534681#M89711 splkadmin 2021-01-04T11:56:44Z https://community.splunk.com/t5/Getting-Data-In/Splunk-integration-with-other-tool/m-p/534753#M89718 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/230015">@splkadmin</a>,</P><P>You can see options sending data to third parties on below document.</P><P><A href="https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd</A></P><P>&nbsp;</P><P>If this reply helps you an upvote is appreciated.</P> Tue, 05 Jan 2021 05:32:37 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-integration-with-other-tool/m-p/534753#M89718 scelikok 2021-01-05T05:32:37Z https://community.splunk.com/t5/Getting-Data-In/Splunk-integration-with-other-tool/m-p/534770#M89721 <P>In that case do we need to add the output.conf&nbsp; on each client server that i have installed a universal forwarder or should I add only to the Splunk enterprise instance that suppose to forward the all client logs to the third party server.</P> Tue, 05 Jan 2021 10:20:27 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-integration-with-other-tool/m-p/534770#M89721 splkadmin 2021-01-05T10:20:27Z https://community.splunk.com/t5/Getting-Data-In/Splunk-integration-with-other-tool/m-p/534774#M89722 <P>Universal Forwarders can send data only to another Splunk instances. You should setup outputs.conf only on indexers or heavy forwarders to forward data to third party. You can select data by using host, source, sourcetype or regex based on data contents.</P> Tue, 05 Jan 2021 11:02:28 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-integration-with-other-tool/m-p/534774#M89722 scelikok 2021-01-05T11:02:28Z https://community.splunk.com/t5/Getting-Data-In/Splunk-integration-with-other-tool/m-p/535642#M89830 <P>Thank you for your reply ..</P><P>Ok I have single instance of Splunk&nbsp; enterprise and installed a universal forwarder on all the client.</P><P>Now I have to sent data to third party SIEM systems..</P><P>Should I configure only output.conf or just add the forwarded IP on Splunk instance console ?</P><P>do we able to configure a props.conf<SPAN>&nbsp;and&nbsp;</SPAN>transforms.conf on same instance? or do I require heavy forwarder to do that.</P><P>&nbsp;</P> Wed, 13 Jan 2021 12:32:20 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-integration-with-other-tool/m-p/535642#M89830 splkadmin 2021-01-13T12:32:20Z https://community.splunk.com/t5/Getting-Data-In/Splunk-integration-with-other-tool/m-p/535694#M89843 <P>You can use single-instance Splunk Enterprise to forward data using methods/samples provided in the document. You do not need to have a heavy forwarder.</P><P>You need to configure outputs.conf and also props.conf, transforms.conf in order to route data.</P> Wed, 13 Jan 2021 17:54:41 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-integration-with-other-tool/m-p/535694#M89843 scelikok 2021-01-13T17:54:41Z