Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Forward indexed logs to 3rd Party System from Indexers via REST API or any other method

warsaw
Loves-to-Learn Lots
‎04-19-2021 04:35 AM

We have indexers and Universal Forwarders and no Heavy Forwarders in use, i know UF cannot send parsed data to any external system it can only send uncooked data and all of them , but can the indexers send the parsed logs(only specific e.g. from windows index) to external system, maybe through REST API or syslog or any other mechanism?

the sequence would be like this : UF>>Indexers>>External System.

0 Karma
Reply

aasabatini
Motivator
‎04-19-2021 04:40 AM

Hi @warsaw 

 

yes you can route your data on third system native based on syslog.

check this page  under "Replicate a subset of data to a third-party system"

https://docs.splunk.com/Documentation/Splunk/8.1.3/Forwarding/Routeandfilterdatad

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply

warsaw
Loves-to-Learn Lots
‎04-19-2021 04:44 AM

@aasabatini yes i'd checked this already, this shows how to route cooked logs from HF to indexer and raw to external system, not cooked data from indexer to external system.

0 Karma
Reply

aasabatini
Motivator
‎04-19-2021 04:59 AM

Hi @warsaw 

 

yes you can route your data from your indexer specify the all condition on the outputs.conf

for example if you want index a syslog source and forward from indexer you need to specify on your stanza this.

[indexAndForward]
index=true
selectiveIndexing=true

Also on your forwarder if you want manage your source you need to specify  the inputs stanza.

[input_stanza]
_INDEX_AND_FORWARD_ROUTING=<any_string>

I hope this link can help

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf#IndexAndForward_Processor-----

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Reply

warsaw
Loves-to-Learn Lots
‎04-19-2021 11:57 PM

I see this is available for only heavy forwarders.

indexAndForward = <boolean>
* Set to "true" to index all data locally, in addition to forwarding it.
* This is known as an "index-and-forward" configuration.
* This setting is only available for heavy forwarders.
* This setting is only available at the top level [tcpout] stanza. It
  cannot be overridden in a target group.
* Default: false

 

0 Karma
Reply

aasabatini
Motivator
‎04-20-2021 04:01 AM

Hi @warsaw 

the 

indexAndForward

stanza works for all splunk roles.

check this answer is more similar on your case.

https://community.splunk.com/t5/Getting-Data-In/How-to-index-all-locally-and-forward-specific-source...

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...