Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Forward data received on a port to a third party system

anton085
Path Finder
‎08-15-2017 09:25 AM

I have a Splunk instance configured to receive data on port 9997 from 2 forwarders. If I want to configure it to forward data received on port 9997, what should I write as the stanza in props.conf?

For example, to forward data from '/var/log', you have to write:
[source::/var/log]
TRANSFORMS-routing = send_to_tcp

What should I write when the source is the port 9997?

0 Karma
Reply
1 Solution
Solved! Jump to solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎08-15-2017 09:37 AM

There is a difference between the receiving port (default 9997) that a forwarder would send data to, and a listening port, say UDP 514 if you are sending syslogs to some port where Splunk is listening for that data stream. All of your data would be coming in to 9997 if it is coming from forwarders. Your source would not reflect the receiving port that the forwarders are sending data to, like it would in the UDP 514 example.

Are you trying to send any data coming from the forwarders on to another destination?

0 Karma
Reply
Solved! Jump to solution

anton085
Path Finder
‎08-15-2017 09:47 AM

"Are you trying to send any data coming from the forwarders on to another destination?"

That's exactly what I want to do. Is the props.conf config different for data received on 9997 vs other ports (i.e., 514)?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-15-2017 09:51 AM

Are you trying to send all data to a different destination? Cloning the data or just redirecting?

0 Karma
Reply
Solved! Jump to solution

anton085
Path Finder
‎08-15-2017 10:12 AM

I am trying to send the data to a third-party system. I would like to see the configs for both cloning and redirecting.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
li.common.scroll-to.top