Getting Data In

Can I replicate a subset of the data to a non-Splunk destination?

Alan_Bradley
Path Finder

I need to do the following on my forwarder:

  1. Forward all data received and gathered by the forwarder to Splunk indexer
  2. Replicate subset of the data, based on a source or sourcetype, to a 3rd party server

Can someone share a basic configuration example?

Tags (2)
1 Solution

matt
Splunk Employee
Splunk Employee

This will send a cooked data stream to the indexer (10.1.12.1:9997) and a second smaller uncooked tcp stream to the third party (10.1.12.2:1234). If you need the second stream to be syslog out then you will need to shift that work to the indexer.

props.conf

[syslog]
TRANSFORMS-routing = routeAll, routeSubset

transforms.conf

[routeAll]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=Everything

[routeSubset]
REGEX=(SYSTEM|CONFIG|THREAT)
DEST_KEY=_TCP_ROUTING
FORMAT=Subsidiary,Everything

outputs.conf

[tcpout]
defaultGroup=nothing

[tcpout:Everything]
disabled=false
server=10.1.12.1:9997

[tcpout:Subsidiary]
disabled=false
sendCookedData=false
server=10.1.12.2:1234

View solution in original post

matt
Splunk Employee
Splunk Employee

This will send a cooked data stream to the indexer (10.1.12.1:9997) and a second smaller uncooked tcp stream to the third party (10.1.12.2:1234). If you need the second stream to be syslog out then you will need to shift that work to the indexer.

props.conf

[syslog]
TRANSFORMS-routing = routeAll, routeSubset

transforms.conf

[routeAll]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=Everything

[routeSubset]
REGEX=(SYSTEM|CONFIG|THREAT)
DEST_KEY=_TCP_ROUTING
FORMAT=Subsidiary,Everything

outputs.conf

[tcpout]
defaultGroup=nothing

[tcpout:Everything]
disabled=false
server=10.1.12.1:9997

[tcpout:Subsidiary]
disabled=false
sendCookedData=false
server=10.1.12.2:1234
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...