How to send data from one Splunk forwarder to the ...

OL · ‎03-03-2016

Hi all,

I am trying to use the Protocol Data Inputs (PDI) add-on, but I am having problem getting data to it. What is the best way to receive data from a universal/heavy forwarder instance? I believe the PDI add-on doesn't accept cooked data.

I am currently receiving data from an external Splunk instance. The data are sent to my intermediate forwarder (iFwd), which then forwards to my indexers. This is working fine. Now, I would like to manipulate the data on the iFwd. I have installed the PDI add-on in the iFwd and wanted to know if there was a best solution to get data from a forwarder to the PDI installed on another forwarder.

Damien_Dallimor · ‎03-03-2016

In theory you could send cooked data to a PDI TCP port , but as this will be binary , you'd need to know the cooked data protocol and write a custom PDI data handler to decode it.

Best just to forward uncooked data from your UF/HF to a TCP port you open in the PDI App.

sendCoookedData = false

http://docs.splunk.com/Documentation/Splunk/6.1/admin/Outputsconf

OL · ‎03-03-2016

Thank you, forgot that you could do that. Working great!!

How to send data from one Splunk forwarder to the Protocol Data Inputs add-on installed on another forwarder?

Enterprise Security Content Updates (ESCU) - New Releases

Thought Leaders are Validating Your Hard Work and Training Rigor

.conf23 Registration is Now Open!