Solved: Using Splunk UF to send data to ELK

Na_Kang_Lim · ‎07-30-2025

Hi, as the question suggest, I am trying to send 2 streams of logs.

From the document Forward data to third-party systems - Splunk Documentation I know there are 2 limitations:
- I can only send raw data

- I cannot filter only the data I want

So sending all data is OK for me.

Currently, my UF have this app called INDEXER_OUTPUT. Which in its default/outputs.conf have these configs:

[tcpout]
defaultGroup=my_indexer_cluster
autoLBFrequency=300

[tcpout:my_indexer_cluster]
server=<indexer_01_ip>:9997,<indexer_02_ip>:9997,<indexer_03_ip>:9997,<indexer_04_ip>:9997

[tcpout-server://<indexer_01_ip>:9997]

[tcpout-server://<indexer_02_ip>:9997]

[tcpout-server://<indexer_03_ip>:9997]

[tcpout-server://<indexer_04_ip>:9997]

So what I did was created another server class, with a single app within called ELK_OUTPUT. It also has a single default/outputs.conf file with this config:

[tcpout]

[tcpout:elk_server]
server=<elk_server_ip>:3514
sendCookedData=false

Upon adding the client to the server class, what I noticed is a weird behavior:
I only get the metrics.log sent to the ELK server

What I am suspecting is that maybe because my [WinEventLog://Security] input stanza contains "renderXML = true" and "evt_resolve_ad_obj = 1", so that it no longer considered as "raw data"?

livehybrid · ‎07-30-2025

Hi @Na_Kang_Lim

You will also need to update the

defaultGroup=my_indexer_cluster

to

defaultGroup=my_indexer_cluster,elk_server

so that it sends to both. The reason that you are getting the metrics is that some inputs.conf such as splunk.version monitor stanza has "_TCP_ROUTING = *" which sends to all output groups.

You will need to either make the change in the app where the defaultGroup is already defined, or push it out through another app which has a higher order of precedence. It might be easiest to change this in the existing app if possible.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

livehybrid · ‎07-30-2025

Hi @Na_Kang_Lim

You will also need to update the

defaultGroup=my_indexer_cluster

to

defaultGroup=my_indexer_cluster,elk_server

so that it sends to both. The reason that you are getting the metrics is that some inputs.conf such as splunk.version monitor stanza has "_TCP_ROUTING = *" which sends to all output groups.

You will need to either make the change in the app where the defaultGroup is already defined, or push it out through another app which has a higher order of precedence. It might be easiest to change this in the existing app if possible.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Using Splunk UF to send data to ELK

HTTP Event Collector

inputs.conf

intermediate forwarder

modular input

universal forwarder

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

Using Splunk UF to send data to ELK