forwarding logs to a gcp bucket

yvan-rostand · ‎01-09-2024

Hi,

I am trying to to forward logs from a heavy forwarder to a gcp bucket using the outputs.conf, but it has been unsuccessful (no logs seen in the bucket). Not sure if that has to do with my config file or something else.

Can anyone help me with an example?

This is my outputs.conf and I don't know what is wrong.

# BASE SETTINGS

[tcpout] defaultGroup = primary_indexers

forceTimebasedAutoLB = true



[tcpout:bucket_index]

indexAndForward = true

forwardedindex.0.whitelist = my_index



[bucket]

compressed = false

json_escaping = auto

google_storage_key = “12345abcde”

google_storage_bucket = my-gcp-bucket

path = /path/my-gcp-bucket route = bucket_index

inventsekar · ‎01-09-2024

Hi @yvan-rostand

As per my understanding, you should use props and transform.conf as well.

Maybe could you pls try this idea - forward data to 3rd party systems:

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd

richgalloway · ‎01-09-2024

The problem is Splunk can't do that. An HF can forward to another Splunk instance or to a syslog receiver. They cannot send directly to a storage device/service.

---
If this reply helps you, Karma would be appreciated.

forwarding logs to a gcp bucket

heavy forwarder

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?