Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Forwarder send data to http event collector

kochera
Communicator
‎06-11-2017 11:57 PM

Hi,

we would like to forward all data from a splunk instance in the "cloud" to an on-premise http event collector. Is there a way of doing this?

cheers,
Andy

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎06-12-2017 12:32 AM

If you wanted to send to HEC, you'd basically have to export the search results to file, and then post those to the HEC endpoint.

If you're sending Splunk-2-Splunk, why are you wanting to use HEC? You can add and outputs on one of your "Cloud Instances" that points to your on-premise Splunk, and selectively forward data.. Check out the Routing and Filtering of data : http://docs.splunk.com/Documentation/Splunk/6.6.1/Forwarding/Routeandfilterdatad

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-13-2017 04:45 AM

You can send S2S (splunk-to-splunk) over any port that you like so what I would do is just use this, but use your preferred port instead of the default of 9997:

https://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/Forwardmasterdata
I am assuming that when you say "splunk instance" that you mean "splunk indexer" but if you just mean "splunk forwarder" then again, you can do the same thing in outputs.conf but you will also have to do a similar thing in inputs.conf for your receiving Splunk indexers to receive it.

0 Karma
Reply
Solved! Jump to solution

kochera
Communicator
‎06-13-2017 04:58 AM

Hi,
we already have a HEC up and running and this is the only service we want to expose.

cheers,
Andy

0 Karma
Reply
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎06-12-2017 12:32 AM

If you wanted to send to HEC, you'd basically have to export the search results to file, and then post those to the HEC endpoint.

If you're sending Splunk-2-Splunk, why are you wanting to use HEC? You can add and outputs on one of your "Cloud Instances" that points to your on-premise Splunk, and selectively forward data.. Check out the Routing and Filtering of data : http://docs.splunk.com/Documentation/Splunk/6.6.1/Forwarding/Routeandfilterdatad

0 Karma
Reply
Solved! Jump to solution

kochera
Communicator
‎06-12-2017 12:46 AM

Hi,
the reason why we want to use HEC is that we don't want to open additonal tcp ports towards our on-premise Splunk instance.

cheers,
Andy

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...