Getting Data In

Is it possible to forward data to third-party systems in other formats than syslog and raw?

tulinski
Explorer

Is it possible to forward cooked parsed data (containing all fields) in json format to some external TCP end-point (using Heavy Forwarder)?
I found that it is possible to send cooked data, but I couldn't find specs for this format, is it possible to use this kind of data in external TCP end-points or it is Splunk internal format, which shouldn't be used outside of Splunk? According to docs in case of Heavy Forwarder these cooked data should be parsed. I am wondering what rules are used in process of parsing events by Heavy Forwarder? How does it know what fields should it look for in raw data?

0 Karma

jamesbrock
Path Finder

you can send raw logs using outputs.conf "sendCookedData"

outputs.conf
sendCookedData=false

0 Karma

tulinski
Explorer

I assume you mean I cannot achieve what I want. I'd like to setup forwarder to send messages containing all fields (like they were indexed). I thought maybe it is possible as forwarder has an option indexAndForward.

0 Karma

vsingla1
Communicator

@tulinski Did you ever find a way to send splunk cooked data to third-party systems?

0 Karma

schitra15
New Member

Hi. Did you find a solution to get indexed data out of splunk to a third party system?

0 Karma
Get Updates on the Splunk Community!

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...