Getting Data In
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I need to transfer the data from Splunk to a third party server (UDP port)

akd9
New Member
‎09-05-2017 11:16 PM

the configuration for tcp port is below but need to the same for udp port

Transforms:
[bigmoney]
REGEX = event
DEST_KEY=_TCP_ROUTING
FORMAT=bigmoneyreader

Props:
[host::machine name]
TRANSFORMS-filterHost = bigmoney

Outputs:
[tcpout]
defaultGroup = nothing

[tcpout:bigmoneyreader]
server=ipaddress:port
sendCookedData=false

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rphillips_splk
Splunk Employee
Splunk Employee
‎09-06-2017 09:52 AM

@niketn The syslog output processor supports udp you can use the example from our docs to configure this:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Forwarding/Forwarddatatothird-partysystemsd

Send a subset of data to a syslog server
This example shows how to configure a heavy forwarder to forward data from hosts whose names begin with "nyc" to a syslog server named "loghost.example.com" over port 514:

Edit props.conf and transforms.conf to specify the filtering criteria.

In props.conf, apply the send_to_syslog transform to all host names beginning with nyc:
[host::nyc*]
TRANSFORMS-nyc = send_to_syslog

In transforms.conf, configure the send_to_syslog transform to specify _SYSLOG_ROUTING as the DEST_KEY and the my_syslog_group target group as the FORMAT:
[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group

In outputs.conf, define the my_syslog_group target group for the non-Splunk server:

[syslog:my_syslog_group]
server = loghost.example.com:514
type = udp

View solution in original post

Reply
Solved! Jump to solution
Solution

rphillips_splk
Splunk Employee
Splunk Employee
‎09-06-2017 09:52 AM

@niketn The syslog output processor supports udp you can use the example from our docs to configure this:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Forwarding/Forwarddatatothird-partysystemsd

Send a subset of data to a syslog server
This example shows how to configure a heavy forwarder to forward data from hosts whose names begin with "nyc" to a syslog server named "loghost.example.com" over port 514:

Edit props.conf and transforms.conf to specify the filtering criteria.

In props.conf, apply the send_to_syslog transform to all host names beginning with nyc:
[host::nyc*]
TRANSFORMS-nyc = send_to_syslog

In transforms.conf, configure the send_to_syslog transform to specify _SYSLOG_ROUTING as the DEST_KEY and the my_syslog_group target group as the FORMAT:
[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group

In outputs.conf, define the my_syslog_group target group for the non-Splunk server:

[syslog:my_syslog_group]
server = loghost.example.com:514
type = udp

Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top