Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to move events between Splunk instances without moving entire buckets?

wegscd
Contributor
‎12-11-2015 05:38 AM

Is there a good way to move events between Splunk instances (besides moving entire buckets)?

I'm working on some dashboards with someone outside our enterprise, so them accessing our indexers is not a possibility. I've tried do a search to extract the test data, use the table command to show the _time and _raw fields, and export that as a CSV.

That works for some stuff, but the import fails if the events are multiline.

Moving entire buckets is not a good solution: there is a lot of data in that index that is irrelevant to the recipient.

0 Karma
Reply

Lucas_K
Motivator
‎12-13-2015 02:21 PM

Do you have network connectivity to forward the events as udp?

You could use the cef app (with a custom udp mod).

Make a relevant search that matches the events you want to forward to your 3rd party.
Add that into a data model.
Create your cef rule.
Modify it as udp.
Forward udp to 3rd party.

fyi, udp is used as you can bypass creation of the cef field translation and send out raw events.

0 Karma
Reply

hortonew
Builder
‎12-11-2015 04:40 PM

You could try the steps here: https://answers.splunk.com/answers/25174/how-to-export-import-events-from-indexes.html

It's an older post, so please report back if it still works.

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...