Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk Enterprise
- :
- Re: Forward to Search Head
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forward to Search Head
Hello,
I have an architecture like this :
Splunk Universal forwarder 1_N => Splunk Indexer 1 => Splunk Search Head 0
Splunk Universal forwarder 1-N => Splunk Indexer 2 => Splunk Search Head 0
Splunk Universal forwarder 1-N => Splunk Indexer N => Splunk Search Head 0
I would like to know if i could forward data from Splunk Search Head to a third party software
I know there is apps like CEP.
But i would like to forward data to Splunk Indexer for indexing data aand forward data from Splunk Indexer to Splunk Search Head, and finaly forward data from SplunkSearch Head to a third party software.
I don't want to forward from Splunk Forwarder drectly to third party software.
I would like a single point (Splunk Search Head) to forward to third party software.
May be , i make a mistake with this choice.
What the best practice with a good security to avoid exposing all the Splunk Forwarder or all the Splunk indexer to the third party software.
I'm sorry for my bad english.
Thank you very much for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on your constraints Its recommended to go with Intermediate Forwarders.
You can introduce intermediate forwarder(universal NOT Heavy), So the data flow will look like all UF>>IF>>Indexer AND 3rd Party Software.
Your intermediate forwarder will forward one copy to the indexer and one copy to the 3rd party solution.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Thank you very much for your reply and your solution.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're welcome. If you think my answer helped you an upvote would be appreciated 🙂
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
