Getting Data In

URGENT - How to forward the content of one index of an indexer to a third party destination?

soc9688
New Member

hello, i'm using an indexer to index my data flow in different indexes but when i want to output just the content of one index of my indexer, i cant do it.
so any answer appreciated

Tags (2)
0 Karma

newbie2tech
Communicator

You can write a search which gets all the data from the index which you are interested in and output it to csv on the search head [schedule this as per your need] and then have batch job process [moveIT or custom shell script] to pick up the file from the search which can move it to a location where other application team can read from.

Also it might help if you list down what you mean by Thirdparty. If you wan to export it to Hadoop splunk has hadoop connect app which can do this for you, so listing down the third party might help.

Here are some links which were slightly helpful when I had to do the same

forwarder based discussion

https://answers.splunk.com/answers/65818/forward-data-to-a-third-party-system.html

Extract Huge Data

http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/CLIsearchsyntax

https://answers.splunk.com/answers/172454/what-are-my-options-to-export-large-amounts-of-spl.html
https://answers.splunk.com/answers/356825/how-to-export-very-large-datasets-from-splunk.html
https://answers.splunk.com/answers/22421/how-to-export-large-volume-of-raw-data-out-of-a-index.html

0 Karma

soc9688
New Member

thx but i do not want to tie all in a file but just forward the data that came in and to do so i want to forward just the content i want for instance the main index

0 Karma

DalJeanis
Legend

@soc9688 -

1) What, exactly, do you mean by "forward"?
2) What exactly, is the receiving technology? Is it another splunk instance, a database, a javascript script, an HTML page, what?

0 Karma

soc9688
New Member

1) forward for me is transmit content from/to with or without changing the content format before or not.
2) this is a queue in RSA Server who parse the data i give to him

0 Karma

somesoni2
Revered Legend

Check if your user role has access to all those indexes? (see step 6 and 7 of below link)
http://docs.splunk.com/Documentation/Splunk/6.6.1/Security/Addandeditroles

0 Karma

pappjr
Path Finder

Hi @soc9688,

What do you mean by "output" the content of your indexer? Are you trying to export data from Splunk into another system?

0 Karma

soc9688
New Member

infact i am doing redirection of the flow that came in input of my indexer and i want to select just the content of one of my indexes for example the main index, to forward

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...