topic Re: Splunk Forwarding in Splunk Search

Splunk Forwarding

shaileshpawar21 — Fri, 19 Apr 2013 04:35:11 GMT

Hello, Can any one please tell me that, Whether splunk reads event from only splunk installed machine or non-splunk machine also ?
Also Please give me idea about forwarding mechanism of splunk.
and one more question is that, in which format splunk forwards events? whether it uses any binary format ? because when I was trying to forward events from splunk to RHEL machine it is forwarded in raw (0#) format. Is this the behavior of splunk or m I going wrong somewhere ?

Thanks In Advance.

Re: Splunk Forwarding

sinclairmachado — Fri, 19 Apr 2013 06:06:04 GMT

Following is high level flow;
Splunk Forwarder -> Indexer -> Search Head

Splunk requires splunk forwarder agent (Universal Forwarder / Splunk Light Forwarder / Splunk Heavy Forwarder) to forward data to the splunk indexers from the servers.
eg : you forward logs (/var/log/messages) from your test_server to splunk indexer

The data is forwarded on the receiving port you set on the indexers (by default it is 9997).

Search Head is the central querying hub which will pull data from one or many indexers.

I am not sure why you are trying to send event from splunk servers to the RHEL box, it should be other way round.

Re: Splunk Forwarding

shaileshpawar21 — Sun, 21 Apr 2013 17:49:03 GMT

Thanks you for your response,
Actually I was trying to send events which was stored into splunk.
I want to read that event in non-splunk machine.
can you please help me in that?

Thanks

Re: Splunk Forwarding

kristian_kolb — Sun, 21 Apr 2013 19:02:43 GMT

Have a look at;

http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Forwarddatatothird-partysystemsd

Re: Splunk Forwarding

shaileshpawar21 — Mon, 22 Apr 2013 06:37:17 GMT

Thanks kristian,
Can you please tell me whole step by step process of receiving and forwarding events.
Actually I want to send RHEL events stored in splunk server to other non-splunk machine.
Please help me in that.

Thanks in advance

Re: Splunk Forwarding

sinclairmachado — Tue, 23 Apr 2013 14:46:26 GMT

Hi Shailesh,
Apologize I did not get your question.
You can also do it by using splunk scheduler or alerting mechanism.

When you generate an alert a CSV file is generated at back-end with results, you can use that and scp it to the server where you want to place it by executing a script.
(When setting up alerting you have an option to execute a script.)

Regards
Sinclair

Re: Splunk Forwarding

shaileshpawar21 — Wed, 24 Apr 2013 09:45:52 GMT

Thanks Sinclair,

Lets consider I have 3 machines A,B and C.
B is my splunk server. Now I want to receive events from machine A to splunk server B and then froward these events (which are stored in splunk server B) tothird machine C.
Please help in this scenario.

Thanks in advance

Re: Splunk Forwarding

sinclairmachado — Mon, 28 Sep 2020 13:47:18 GMT

1) A -> B
This will be your normal splunk configuration that will forward data from server A to splunk server B

2) B -> C
To Send data from splunk server B to server C do the following;
Create a shell script with splunk CLI search redirecting data to a data file.
SCP the file to server C

Example of steps in the shell will be;
$SPLUNK_HOME/bin/splunk search 'index=* search string' -earliest_time='-1d' -latest_time='now' > datafile
scp ./datafile user@server:/path/

Let me know if that works for you.

Regards
Sinclair