Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Forwarding Search Results on a schedule

dm1
Contributor
‎08-03-2021 06:09 PM

I have a requirement to forward search results of a query to an indexer of an external organization. The volume of this data would be fairly high.

I understand there are a multiple ways to achieve this. I am thinking to use a script to run every 5 mins to grab the search results via REST API and store it locally on the disk and forward it from there via outputs.conf

I also understand this would be very to do via script but only challenge is I am not that experienced with scripting stuff, hence little unsure. 

Hence, wondering if anyone can please share if there would be an easier way than doing this via a script.

Labels (4)
Tags (1)
0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎08-03-2021 06:26 PM

Hi @dm1 

Have you tried _TCP_ROUTING in transforms conf of HF.

The search results that you wish to export should have been going through HF in your infra to your internal indexers, if you know exactly what streams you want to forward filter on search pattern/host/source/index etc  then send them to external org indexers at the same time  using transforms conf _TCP_ROUTING option. No need of scripting.

0 Karma
Reply

dm1
Contributor
‎08-03-2021 07:23 PM

The search results are not going via HF. This is running a search on already indexed data (its a summary index)

Basically, I am running a search, e.g. 

 

 index=abc field1=def field2=ghi

 

 I want to forward the results of the above search to another Indexer on a cron schedule like every 5mins.

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎08-03-2021 07:45 PM

@dm1 i mean't the _raw stream at the time of indexing to your internal org indexers going via HF. Same you would like to export after indexing the data and forward it to external org indexers isn't it?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...