All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk event forwarding

shaileshpawar21
New Member
‎04-22-2013 10:01 AM

Hello,
I have tried to forward log event stored in splunk to Linux machine via syslog.
but only splunk specific events (means events that are generated by splunk not the stored events) are forwarded to linux machine.
can anybody please tell me about process of forwarding stored events from splunk to other linux/windows box.?? please

thanks in advance

0 Karma
Reply

kristian_kolb
Ultra Champion
‎04-22-2013 11:59 AM

You can forward incoming events to a third party system (i.e. a non-splunk system). From the wording of your question it seems like you have set this up with partial success. I believe that you wish to forward data that has already been indexed by a splunk indexer. To the best of my knowledge that is not as straightforward as it might seem, unfortunately. Once event have been indexed (i.e. you don't forward the incoming stream of events), you'll have make searches and export the search results.

http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Forwarddatatothird-partysystemsd
http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Savingsearchesandsharingsearchresults
http://splunk-base.splunk.com/answers/46050/export-raw-logs-from-specific-time

Hope this helps,

Kristian

0 Karma
Reply

shaileshpawar21
New Member
‎04-24-2013 02:40 AM

Hi Ayn,

I have followed all steps given in link but events are not forwarded to other machine.
I have done following steps.
1st received events from TCP port
then in foward made the configuration of hostname:port
the host which is mentioned has beed configured to read events through syslog. (for this edited rsyslog.conf)
but events are not present in log file of other machine..
Please help me,
Thanks.

0 Karma
Reply

Ayn
Legend
‎04-23-2013 02:19 AM

You can't grab events right from the raw index files. You need to go through the regular Splunk mechanisms, which the docs that kristian links to describe. Is there anything in particular that you're missing in the docs? Because I see instructions there on how to grab all or just a subset of the events and forward it to a 3rd party system over TCP...

0 Karma
Reply

shaileshpawar21
New Member
‎04-23-2013 01:44 AM

Thanks Kristian,
I want to forward data(events) which is stored in index(journal.gz file) to the remote on third party non splunk machine via TCP port through syslog.
How should I do that ?
Please help me in this.

Thanks in advance

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...