Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

would like to send logs from Splunk to Qradar?

niha1318
New Member
‎03-07-2019 05:55 AM

Hi,

got a requirement to send logs from Splunk to Qradar. I have gone through few splunk docs, but I couldn't get proper idea on how to start with this requirement. I was able to find some info from IBM knowledge center, as per documentation there is a Qradar app for splunk data forwarding. but i am not sure how it will work.

please let me know if anyone have knowledge on this?

Thanks in advance

Tags (1)
0 Karma
Reply

FrankVl
Ultra Champion
‎03-08-2019 06:14 AM

"we wanted to export previously ingested data from splunk to qradar."

If it is a one off, you could do a search and export the events to csv (use the | fields _raw command to restrict the export to just the raw data).

That can also be automated with a saved search that exports to CSV and I guess also through the REST API.

For more information, see: https://docs.splunk.com/Documentation/Splunk/latest/Search/Exportsearchresults

0 Karma
Reply

FrankVl
Ultra Champion
‎03-07-2019 07:42 AM

Let's start with what kind of data you want to forward. Do you just want to route a copy of some of the data you ingest into splunk also to qradar? Or do you want to send the result of some search / alert / whatever to QRadar?

0 Karma
Reply

niha1318
New Member
‎03-08-2019 02:03 AM

Hi,

we have already ingested data into splunk, we got thousand's of hosts for specific IIS logs. but we don't want to send all of them, we particularly want to send 75 hosts to qradar.

0 Karma
Reply

FrankVl
Ultra Champion
‎03-08-2019 02:26 AM

But do you want to export previously ingested data from Splunk, or do you want to implement a (partial) parallel feed to both platforms?

0 Karma
Reply

niha1318
New Member
‎03-08-2019 06:06 AM

we wanted to export previously ingested data from splunk to qradar.

Thanks,

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...