Getting Data In

HF data forwarding to 3rd party design validation


I have a requirement to push a subset of universal and heavy forwarders originating data to a third party, for which I enabled a set of HFs for data forwarding alone.

This is working fine, as data arrives uncooked to a target syslog-ng.

The troublesome part was being asked to ensure the HF resends the data in case the target undergoes maintenance, or has an outage lasting up to 2 days.

Considering Persistent Queues don't work over splunktcp streams, is it even an option for me to push uncooked data to the HFs, enabling a standard TCP input (not splunktcp) with Persistent Queue enabled, say, to 200GB?

Never heard of anyone using this approach.
Would this work?

Labels (2)
0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!


Or Learn More in Our Blog >>