Forward to Search Head

myitlab1000 · ‎07-15-2020

Hello,

I have an architecture like this :

Splunk Universal forwarder 1_N => Splunk Indexer 1 => Splunk Search Head 0

Splunk Universal forwarder 1-N => Splunk Indexer 2 => Splunk Search Head 0

Splunk Universal forwarder 1-N => Splunk Indexer N => Splunk Search Head 0

I would like to know if i could forward data from Splunk Search Head to a third party software

I know there is apps like CEP.

But i would like to forward data to Splunk Indexer for indexing data aand forward data from Splunk Indexer to Splunk Search Head, and finaly forward data from SplunkSearch Head to a third party software.

I don't want to forward from Splunk Forwarder drectly to third party software.

I would like a single point (Splunk Search Head) to forward to third party software.

May be , i make a mistake with this choice.

What the best practice with a good security to avoid exposing all the Splunk Forwarder or all the Splunk indexer to the third party software.

I'm sorry for my bad english.

Thank you very much for your help.

faizancool85 · ‎07-15-2020

Based on your constraints Its recommended to go with Intermediate Forwarders.

You can introduce intermediate forwarder(universal NOT Heavy), So the data flow will look like all UF>>IF>>Indexer AND 3rd Party Software.

Your intermediate forwarder will forward one copy to the indexer and one copy to the 3rd party solution.

myitlab1000 · ‎07-15-2020

Hello,

Thank you very much for your reply and your solution.

faizancool85 · ‎07-16-2020

You're welcome. If you think my answer helped you an upvote would be appreciated 🙂

Forward to Search Head

configuration

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?