- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Is it possible to clone/forward logevents from specific hosts from a Splunk instance to a third-party system?
The importance here is that all logs still should be indexed and searchable on the splunk indexer but some of the data should also be copied from the indexer and get forwarded to a third-party system. This third-party system is a syslog-ng.
Which approach should I look into more deeply? To forward the data or to clone the data?
Is cloning even possible to a no-splunk instance?
Thanks in advance.
Br,
CJ
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![MuS MuS](https://community.splunk.com/legacyfs/online/avatars/2122.jpg)
Hi chje,
read the docs about Forward data to third-party systems
http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Forwarddatatothird-partysystemsd
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![kml_uvce kml_uvce](https://community.splunk.com/legacyfs/online/avatars/100734.jpg)
you can forward data to third party system and this is the better approach, see this link
http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Forwarddatatothird-partysystemsd
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![MuS MuS](https://community.splunk.com/legacyfs/online/avatars/2122.jpg)
Hi chje,
read the docs about Forward data to third-party systems
http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Forwarddatatothird-partysystemsd
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the quick replies guys.
I have looked into this doc but I couldn´t see anywhere if the data is "copied" when forwarded or not.
I would like to have the data on two locations so to speak. Not just routed or forwarded away all together from the Splunk indexer.
If you understand what I mean.
But if this is possible with the forwarding described in the document, then I will start looking into implementing this.
/CJ
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![MuS MuS](https://community.splunk.com/legacyfs/online/avatars/2122.jpg)
or in the UI
Settings » Forwarding and receiving » Forwarding defaults
Store a local copy of forwarded events?
Yes No
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![MuS MuS](https://community.splunk.com/legacyfs/online/avatars/2122.jpg)
Okay, follow the docs and add this in your outputs.conf
indexAndForward = [true|false]
* Index all data locally, in addition to forwarding it.
* This is known as an "index-and-forward" configuration.
* This attribute is available only at the top level [tcpout] stanza. It cannot be overridden in a target group.
* Defaults to false.
![](/skins/images/53C7C94B4DD15F7CACC6D77B9B4D55BF/responsive_peak/images/icon_anonymous_message.png)