Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to move events between Splunk instances without moving entire buckets?

wegscd
Contributor
‎12-11-2015 05:38 AM

Is there a good way to move events between Splunk instances (besides moving entire buckets)?

I'm working on some dashboards with someone outside our enterprise, so them accessing our indexers is not a possibility. I've tried do a search to extract the test data, use the table command to show the _time and _raw fields, and export that as a CSV.

That works for some stuff, but the import fails if the events are multiline.

Moving entire buckets is not a good solution: there is a lot of data in that index that is irrelevant to the recipient.

0 Karma
Reply

Lucas_K
Motivator
‎12-13-2015 02:21 PM

Do you have network connectivity to forward the events as udp?

You could use the cef app (with a custom udp mod).

Make a relevant search that matches the events you want to forward to your 3rd party.
Add that into a data model.
Create your cef rule.
Modify it as udp.
Forward udp to 3rd party.

fyi, udp is used as you can bypass creation of the cef field translation and send out raw events.

0 Karma
Reply

hortonew
Builder
‎12-11-2015 04:40 PM

You could try the steps here: https://answers.splunk.com/answers/25174/how-to-export-import-events-from-indexes.html

It's an older post, so please report back if it still works.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top