hello, i'm using an indexer to index my data flow in different indexes but when i want to output just the content of one index of my indexer, i cant do it.
so any answer appreciated
You can write a search which gets all the data from the index which you are interested in and output it to csv on the search head [schedule this as per your need] and then have batch job process [moveIT or custom shell script] to pick up the file from the search which can move it to a location where other application team can read from.
Also it might help if you list down what you mean by Thirdparty. If you wan to export it to Hadoop splunk has hadoop connect app which can do this for you, so listing down the third party might help.
Here are some links which were slightly helpful when I had to do the same
https://answers.splunk.com/answers/65818/forward-data-to-a-third-party-system.html
http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/CLIsearchsyntax
https://answers.splunk.com/answers/172454/what-are-my-options-to-export-large-amounts-of-spl.html
https://answers.splunk.com/answers/356825/how-to-export-very-large-datasets-from-splunk.html
https://answers.splunk.com/answers/22421/how-to-export-large-volume-of-raw-data-out-of-a-index.html
thx but i do not want to tie all in a file but just forward the data that came in and to do so i want to forward just the content i want for instance the main index
@soc9688 -
1) What, exactly, do you mean by "forward"?
2) What exactly, is the receiving technology? Is it another splunk instance, a database, a javascript script, an HTML page, what?
1) forward for me is transmit content from/to with or without changing the content format before or not.
2) this is a queue in RSA Server who parse the data i give to him
Check if your user role has access to all those indexes? (see step 6 and 7 of below link)
http://docs.splunk.com/Documentation/Splunk/6.6.1/Security/Addandeditroles
Hi @soc9688,
What do you mean by "output" the content of your indexer? Are you trying to export data from Splunk into another system?
infact i am doing redirection of the flow that came in input of my indexer and i want to select just the content of one of my indexes for example the main index, to forward