Getting Data In

URGENT - How to forward the content of one index of an indexer to a third party destination?

soc9688
New Member

hello, i'm using an indexer to index my data flow in different indexes but when i want to output just the content of one index of my indexer, i cant do it.
so any answer appreciated

Tags (2)
0 Karma

newbie2tech
Communicator

You can write a search which gets all the data from the index which you are interested in and output it to csv on the search head [schedule this as per your need] and then have batch job process [moveIT or custom shell script] to pick up the file from the search which can move it to a location where other application team can read from.

Also it might help if you list down what you mean by Thirdparty. If you wan to export it to Hadoop splunk has hadoop connect app which can do this for you, so listing down the third party might help.

Here are some links which were slightly helpful when I had to do the same

forwarder based discussion

https://answers.splunk.com/answers/65818/forward-data-to-a-third-party-system.html

Extract Huge Data

http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/CLIsearchsyntax

https://answers.splunk.com/answers/172454/what-are-my-options-to-export-large-amounts-of-spl.html
https://answers.splunk.com/answers/356825/how-to-export-very-large-datasets-from-splunk.html
https://answers.splunk.com/answers/22421/how-to-export-large-volume-of-raw-data-out-of-a-index.html

0 Karma

soc9688
New Member

thx but i do not want to tie all in a file but just forward the data that came in and to do so i want to forward just the content i want for instance the main index

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@soc9688 -

1) What, exactly, do you mean by "forward"?
2) What exactly, is the receiving technology? Is it another splunk instance, a database, a javascript script, an HTML page, what?

0 Karma

soc9688
New Member

1) forward for me is transmit content from/to with or without changing the content format before or not.
2) this is a queue in RSA Server who parse the data i give to him

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Check if your user role has access to all those indexes? (see step 6 and 7 of below link)
http://docs.splunk.com/Documentation/Splunk/6.6.1/Security/Addandeditroles

0 Karma

pappjr
Path Finder

Hi @soc9688,

What do you mean by "output" the content of your indexer? Are you trying to export data from Splunk into another system?

0 Karma

soc9688
New Member

infact i am doing redirection of the flow that came in input of my indexer and i want to select just the content of one of my indexes for example the main index, to forward

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...