Getting Data In

HF data forwarding to 3rd party design validation


I have a requirement to push a subset of universal and heavy forwarders originating data to a third party, for which I enabled a set of HFs for data forwarding alone.

This is working fine, as data arrives uncooked to a target syslog-ng.

The troublesome part was being asked to ensure the HF resends the data in case the target undergoes maintenance, or has an outage lasting up to 2 days.

Considering Persistent Queues don't work over splunktcp streams, is it even an option for me to push uncooked data to the HFs, enabling a standard TCP input (not splunktcp) with Persistent Queue enabled, say, to 200GB?

Never heard of anyone using this approach.
Would this work?

Labels (2)
0 Karma
Get Updates on the Splunk Community!

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out >> 🏆 Check out the ...

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...