Re: Is there a way to transfer data from Splunk Se...

potnuru · ‎09-16-2020

Requirement is to send data from Splunk to PTA tool using Scheduled Search on Search Head.

The Data should be filtered on some parameters and filtered data/events are sent to PTA in regular intervals. Like Every one hours the Events should be filtered and sent to PTA.

thambisetty · ‎09-21-2020

you can't directly forward the search results from search head to 3rd party servers.

you can do it directly from Heavy forwarder/Indexer to 3rd syslog server.

https://docs.splunk.com/Documentation/Splunk/8.0.6/Search/Forwarddatatothirdpartysystems#:~:text=To%....

————————————
If this helps, give a like below.

thambisetty · ‎09-16-2020

I don't know what is your case. you can do using below procedure:

create your search and write your results to csv file using outputcsv command.
create inputs.conf to monitor the file and create outputs.conf to forward data using [syslog] on search head.

————————————
If this helps, give a like below.

potnuru · ‎09-21-2020

@thambisetty We need to forward the raw data from Splunk to CyberArk PTA(3rd Party) tool.

We need to forward the data through SYSLOG TCP. (PTA will listen to SYSLOG TCP on xyz port).

Is there any option to forward the data from Search Head without saving it locally?

Is there a way to transfer data from Splunk Search Head via Scheduled Search to third party system through syslog?

syslog

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!