Hi Friends,
Has anyone used a Universal forwarder to forward logs to a HEC instance? My ask is similar to the one in the thread below
https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-6-4-0-to-HEC/td-p/364436
Any inputs on how to accomplish this will be greatly appreciated.
Have a good one and keep safe!
Rachael
Heavy Forwarders can accept HEC inputs, but not send out to HEC outputs. They can either send to Syslog or to a Splunk Indexer endpoint using Splunk2Splunk protocol.
Universal forwarders do not TODAY have HEC input capabilities.
The latest version seems to support that:
https://docs.splunk.com/Documentation/Forwarder/8.2.1/Forwarder/Configureforwardingwithoutputs.conf
In my case, I want to forward a subset of data that I received through HEC on my splunk instance to HEC on another instance. I am not sure what DEST_KEY to use. TCP_ROUTING? The document indicates that I need a httpout stanza.
[httpout] httpEventCollectorToken = eb514d08-d2bd-4e50-a10b-f71ed9922ea0 uri = https://10.222.22.122:8088
a snippet of tranforms.conf:
[route_to_another_hec]
REGEX = 99sdfskdfskdfhsjdkfhsd
DEST_KEY = _TCP_ROUTING
FORMAT = another_hec
Thanks.
Keep in mind httpout and HEC are different.
Hi @yuelu this use case is very interesting. Right now I also try to do a similar output for HEC. But on that manual, httpout and tcpout could not be both at same time. So for other splunk TA deployed on UFs, could they also indexed with httpout into Indexer?