Getting Data In

Forward data received on a port to a third party system

anton085
Path Finder

I have a Splunk instance configured to receive data on port 9997 from 2 forwarders. If I want to configure it to forward data received on port 9997, what should I write as the stanza in props.conf?

For example, to forward data from '/var/log', you have to write:
[source::/var/log]
TRANSFORMS-routing = send_to_tcp

What should I write when the source is the port 9997?

0 Karma
1 Solution

kmorris_splunk
Splunk Employee
Splunk Employee

There is a difference between the receiving port (default 9997) that a forwarder would send data to, and a listening port, say UDP 514 if you are sending syslogs to some port where Splunk is listening for that data stream. All of your data would be coming in to 9997 if it is coming from forwarders. Your source would not reflect the receiving port that the forwarders are sending data to, like it would in the UDP 514 example.

Are you trying to send any data coming from the forwarders on to another destination?

0 Karma

anton085
Path Finder

"Are you trying to send any data coming from the forwarders on to another destination?"

That's exactly what I want to do. Is the props.conf config different for data received on 9997 vs other ports (i.e., 514)?

0 Karma

somesoni2
Revered Legend

Are you trying to send all data to a different destination? Cloning the data or just redirecting?

0 Karma

anton085
Path Finder

I am trying to send the data to a third-party system. I would like to see the configs for both cloning and redirecting.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...