Getting Data In

splunk tcp output format...

Steve_Litras
Path Finder

if I wanted to write a receiver for splunk data (i.e. have my index server(s) forward data via tcpout in the outputs.conf), is the format for splunk2splunk traffic published anywhere?

I know it seems like an obscure need, but nonetheless, I've got it. 🙂

Thanks Steve

Tags (1)
2 Solutions

ziegfried
Influencer

Why not just sending out syslog? Consuming this should be quite easy.

View solution in original post

mitch_1
Splunk Employee
Splunk Employee

It's not documented, and probably never will be. If you need event metadata you're probably best off with the realtime search suggestion above -- that way you have control about exactly what fields you get.

View solution in original post

southeringtonp
Motivator

It doesn't look like a tremendously complex protocol. You can always fire up a netcat listener, dump everything to a file, and take a peek.

Of course, there's no guarantee that it won't get changed in the next release of Splunk. Looks like the format is already on version 2.

0 Karma

mitch_1
Splunk Employee
Splunk Employee

It's not documented, and probably never will be. If you need event metadata you're probably best off with the realtime search suggestion above -- that way you have control about exactly what fields you get.

ziegfried
Influencer

Why not just sending out syslog? Consuming this should be quite easy.

ziegfried
Influencer

Maybe it would be easier to use a script that performs a constant realtime search on the events your're interested in and sends them to the target system.

0 Karma

Steve_Litras
Path Finder

The problem with the syslog output is that it just dumps the raw event, no metadata. I need some of the metadata from the cooked event stream.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...