Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Forwarding Search Results on a schedule

dm1
Contributor
‎08-03-2021 06:09 PM

I have a requirement to forward search results of a query to an indexer of an external organization. The volume of this data would be fairly high.

I understand there are a multiple ways to achieve this. I am thinking to use a script to run every 5 mins to grab the search results via REST API and store it locally on the disk and forward it from there via outputs.conf

I also understand this would be very to do via script but only challenge is I am not that experienced with scripting stuff, hence little unsure. 

Hence, wondering if anyone can please share if there would be an easier way than doing this via a script.

Labels (4)
Tags (1)
0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎08-03-2021 06:26 PM

Hi @dm1 

Have you tried _TCP_ROUTING in transforms conf of HF.

The search results that you wish to export should have been going through HF in your infra to your internal indexers, if you know exactly what streams you want to forward filter on search pattern/host/source/index etc  then send them to external org indexers at the same time  using transforms conf _TCP_ROUTING option. No need of scripting.

0 Karma
Reply

dm1
Contributor
‎08-03-2021 07:23 PM

The search results are not going via HF. This is running a search on already indexed data (its a summary index)

Basically, I am running a search, e.g. 

 

 index=abc field1=def field2=ghi

 

 I want to forward the results of the above search to another Indexer on a cron schedule like every 5mins.

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎08-03-2021 07:45 PM

@dm1 i mean't the _raw stream at the time of indexing to your internal org indexers going via HF. Same you would like to export after indexing the data and forward it to external org indexers isn't it?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...