Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to move events between Splunk instances without moving entire buckets?

wegscd
Contributor
‎12-11-2015 05:38 AM

Is there a good way to move events between Splunk instances (besides moving entire buckets)?

I'm working on some dashboards with someone outside our enterprise, so them accessing our indexers is not a possibility. I've tried do a search to extract the test data, use the table command to show the _time and _raw fields, and export that as a CSV.

That works for some stuff, but the import fails if the events are multiline.

Moving entire buckets is not a good solution: there is a lot of data in that index that is irrelevant to the recipient.

0 Karma
Reply

Lucas_K
Motivator
‎12-13-2015 02:21 PM

Do you have network connectivity to forward the events as udp?

You could use the cef app (with a custom udp mod).

Make a relevant search that matches the events you want to forward to your 3rd party.
Add that into a data model.
Create your cef rule.
Modify it as udp.
Forward udp to 3rd party.

fyi, udp is used as you can bypass creation of the cef field translation and send out raw events.

0 Karma
Reply

hortonew
Builder
‎12-11-2015 04:40 PM

You could try the steps here: https://answers.splunk.com/answers/25174/how-to-export-import-events-from-indexes.html

It's an older post, so please report back if it still works.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What did the zero say to the eight?

June 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

This is the fifth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...
li.common.scroll-to.top