Solved: forwarding to third party REST endpoint

vijay · ‎06-27-2021

Hi,

Is it possible from Splunk universal/heavy forwarder to forward data to third party REST API endpoint over https using basic authentication ?

I have use case where Splunk universal/heavy forwarder has to forward data to Splunk enterprise + 3rd party client REST api endpoint for processing data.

Is this use case possible ?

venkatasri · ‎06-28-2021

@vijay

I want to correct first bullet point about custom setup, you can not enforce HF to store data on file it can only index the data. Hence you have to implement script on the machine where originally present. Hope it helps Appreciate if you could Accept the solution.

View solution in original post

venkatasri · ‎06-27-2021

Hi @vijay

Splunk docs suggest HF can forward to only TCP endpoint not to HTTP Rest API. You can find same documentation here - Forward data to third-party systems - Splunk Documentation

If you wish to do so i would do using store-and-forward model using custom script.

Receive on HF and store the data to a file
write a custom script to read every line from a file and curl to Rest API either line-by-line or batch mode.
You can cron schedule the script to run and have a checkpoint to track where you have last read the stored file... and retry in case of target Rest API failed to receive.

---

An upvote would be appreciated & Accept solution if it helps!

vijay · ‎06-28-2021

Thanks for the help @venkatasri .

venkatasri · ‎06-28-2021

@vijay

I want to correct first bullet point about custom setup, you can not enforce HF to store data on file it can only index the data. Hence you have to implement script on the machine where originally present. Hope it helps Appreciate if you could Accept the solution.

forwarding to third party REST endpoint

forwarder management

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024