Getting Data In

forwarding logs to a gcp bucket

yvan-rostand
Engager

Hi,

I am trying to to forward logs from a heavy forwarder to a gcp bucket using the outputs.conf, but it has been unsuccessful (no logs seen in the bucket). Not sure if that has to do with my config file or something else.

Can anyone help me with an example?

This is my outputs.conf and I don't know what is wrong.

# BASE SETTINGS

[tcpout] defaultGroup = primary_indexers

forceTimebasedAutoLB = true



[tcpout:bucket_index]

indexAndForward = true

forwardedindex.0.whitelist = my_index



[bucket]

compressed = false

json_escaping = auto

google_storage_key = “12345abcde”

google_storage_bucket = my-gcp-bucket

path = /path/my-gcp-bucket route = bucket_index
Labels (1)
0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @yvan-rostand 

As per my understanding, you should use props and transform.conf as well.

 

Maybe could you pls try this idea - forward data to 3rd party systems:

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

richgalloway
SplunkTrust
SplunkTrust

The problem is Splunk can't do that.  An HF can forward to another Splunk instance or to a syslog receiver.  They cannot send directly to a storage device/service.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...