Getting Data In

What is the best way to stream data out of one Splunk instance to another?

daniel333
Builder

All,

We have some highly unstructured data I'd like to export from one Splunk instance to another one for testing reasons. Basically a few gigs of a subset of the data. I remember seeing a way to replay the data and stream it via TCP to another indexer, but for the life of me I can't find the docs. Any help here?

Tags (2)

s2_splunk
Splunk Employee
Splunk Employee

I don't know if this will meet your use case, but take a look at the Splunk app for CEF. It contains a new search command called cefout and contrary to the name implication, it can send data in any format you choose to a defined routing group.
You can find more details in the documentation for the app.

Maybe this provides a decent approach to solve your problem.

0 Karma

nickhills
Ultra Champion

1.) Whilst it wont work in every situation, and depending on what you need to test, you could simply add a test search head to your production indexer - this is the simplest option.
This allows you to test new apps without impacting your production environment, but using all the same data from your prod env.

2.) If you are looking to test a separate index (or maybe testing a cluster), you can configure your production indexer to forward a copy of its events to your test cluster - but this would only apply for new events going forwards.

3.) Finally, if you want to take historic data, your probably best looking at a backup and restore.

You might want to consider 2 + 3 if your needs are complex.

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...