Splunk Enterprise

Forward to Search Head

myitlab1000
Explorer

Hello,


I have an architecture like this :


Splunk Universal forwarder 1_N => Splunk Indexer 1 => Splunk Search Head 0

Splunk Universal forwarder 1-N => Splunk Indexer 2 => Splunk Search Head 0

Splunk Universal forwarder 1-N => Splunk Indexer N => Splunk Search Head 0


I would like to know if i could forward data from Splunk Search Head to a third party software

I know there is apps like CEP.

But i would like to forward data to Splunk Indexer for indexing data aand forward data from Splunk Indexer to Splunk Search Head, and finaly forward data from SplunkSearch Head to a third party software.

I don't want to forward from Splunk Forwarder drectly to third party software.

I would like a single point (Splunk Search Head) to forward to third party software.


May be , i make a mistake with this choice.


What the best practice with a good security to avoid exposing all the Splunk Forwarder or all the Splunk indexer to the third party software.


I'm sorry for my bad english.

Thank you very much for your help.

 

Labels (1)
Tags (2)
0 Karma

faizancool85
Path Finder

Based on your constraints Its recommended to go with Intermediate Forwarders.

You can introduce intermediate forwarder(universal NOT Heavy), So the data flow will look like all UF>>IF>>Indexer AND 3rd Party Software.

Your intermediate forwarder will forward one copy to the indexer and one copy to the 3rd party solution.

 

myitlab1000
Explorer

Hello,

Thank you very much for your reply and your solution.

 

 

0 Karma

faizancool85
Path Finder

You're welcome. If you think my answer helped you an upvote would be appreciated 🙂