HF data forwarding to 3rd party design validation

Getting Data In

I have a requirement to push a subset of universal and heavy forwarders originating data to a third party, for which I enabled a set of HFs for data forwarding alone.

This is working fine, as data arrives uncooked to a target syslog-ng.

The troublesome part was being asked to ensure the HF resends the data in case the target undergoes maintenance, or has an outage lasting up to 2 days.

Considering Persistent Queues don't work over splunktcp streams, is it even an option for me to push uncooked data to the HFs, enabling a standard TCP input (not splunktcp) with Persistent Queue enabled, say, to 200GB?

Never heard of anyone using this approach.
Would this work?

Get Updates on the Splunk Community!

HF data forwarding to 3rd party design validation

heavy forwarder

syslog

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation

HF data forwarding to 3rd party design validation

heavy forwarder

syslog

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!