Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Possible to clone/forward logs to a third-party system?

chje
Explorer
‎11-27-2014 04:37 AM

Hi,
Is it possible to clone/forward logevents from specific hosts from a Splunk instance to a third-party system?
The importance here is that all logs still should be indexed and searchable on the splunk indexer but some of the data should also be copied from the indexer and get forwarded to a third-party system. This third-party system is a syslog-ng.
Which approach should I look into more deeply? To forward the data or to clone the data?
Is cloning even possible to a no-splunk instance?
Thanks in advance.

Br,
CJ

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎11-27-2014 04:39 AM

Hi chje,

read the docs about Forward data to third-party systems http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Forwarddatatothird-partysystemsd

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution

kml_uvce
Builder
‎11-27-2014 04:40 AM

you can forward data to third party system and this is the better approach, see this link
http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Forwarddatatothird-partysystemsd

kamal singh bisht
0 Karma
Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎11-27-2014 04:39 AM

Hi chje,

read the docs about Forward data to third-party systems http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Forwarddatatothird-partysystemsd

cheers, MuS

Reply
Solved! Jump to solution

chje
Explorer
‎11-27-2014 04:46 AM

Thanks for the quick replies guys.
I have looked into this doc but I couldn´t see anywhere if the data is "copied" when forwarded or not.
I would like to have the data on two locations so to speak. Not just routed or forwarded away all together from the Splunk indexer.
If you understand what I mean.
But if this is possible with the forwarding described in the document, then I will start looking into implementing this.

/CJ

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎11-27-2014 04:55 AM

or in the UI

Settings » Forwarding and receiving » Forwarding defaults

Store a local copy of forwarded events?
 Yes   No
0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎11-27-2014 04:53 AM

Okay, follow the docs and add this in your outputs.conf 

indexAndForward = [true|false]
* Index all data locally, in addition to forwarding it.
* This is known as an "index-and-forward" configuration.
* This attribute is available only at the top level [tcpout] stanza. It cannot be overridden in a target group.
* Defaults to false.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...