All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk event forwarding

shaileshpawar21
New Member
‎04-22-2013 10:01 AM

Hello,
I have tried to forward log event stored in splunk to Linux machine via syslog.
but only splunk specific events (means events that are generated by splunk not the stored events) are forwarded to linux machine.
can anybody please tell me about process of forwarding stored events from splunk to other linux/windows box.?? please

thanks in advance

0 Karma
Reply

kristian_kolb
Ultra Champion
‎04-22-2013 11:59 AM

You can forward incoming events to a third party system (i.e. a non-splunk system). From the wording of your question it seems like you have set this up with partial success. I believe that you wish to forward data that has already been indexed by a splunk indexer. To the best of my knowledge that is not as straightforward as it might seem, unfortunately. Once event have been indexed (i.e. you don't forward the incoming stream of events), you'll have make searches and export the search results.

http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Forwarddatatothird-partysystemsd
http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Savingsearchesandsharingsearchresults
http://splunk-base.splunk.com/answers/46050/export-raw-logs-from-specific-time

Hope this helps,

Kristian

0 Karma
Reply

shaileshpawar21
New Member
‎04-24-2013 02:40 AM

Hi Ayn,

I have followed all steps given in link but events are not forwarded to other machine.
I have done following steps.
1st received events from TCP port
then in foward made the configuration of hostname:port
the host which is mentioned has beed configured to read events through syslog. (for this edited rsyslog.conf)
but events are not present in log file of other machine..
Please help me,
Thanks.

0 Karma
Reply

Ayn
Legend
‎04-23-2013 02:19 AM

You can't grab events right from the raw index files. You need to go through the regular Splunk mechanisms, which the docs that kristian links to describe. Is there anything in particular that you're missing in the docs? Because I see instructions there on how to grab all or just a subset of the events and forward it to a 3rd party system over TCP...

0 Karma
Reply

shaileshpawar21
New Member
‎04-23-2013 01:44 AM

Thanks Kristian,
I want to forward data(events) which is stored in index(journal.gz file) to the remote on third party non splunk machine via TCP port through syslog.
How should I do that ?
Please help me in this.

Thanks in advance

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...