Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the best option to send/store data to S3 as and when the data lands in Splunk?

danilreddy
Loves-to-Learn Everything
‎05-01-2022 05:59 AM

I have an use case where I need to run the analytics on top of data that lands into Splunk. So, I want to store all the data into S3 too as and when the data lands into Splunk.

I would like to know the best possible way we have with latest version of Splunk Enterprise/Splunk Cloud platform to save copy of Splunk data into S3 as and when the data comes into Splunk.

Please give suggestions on the same.

Thanking you.

Labels (2)
Labels
0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎05-02-2022 11:45 PM

If you instead interested in a selective export you could use Export Everything from SplunkBase

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

danilreddy
Loves-to-Learn Everything
‎05-11-2022 06:19 AM

I want to forward data that is loaded to Splunk, not from search!

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎05-01-2022 10:14 PM

@danilreddy - Splunk can forward data to not only Splunk but any external system or script as well.

One way you can do that is as follows.

 

Another way to approach this is to move Splunk to smart storage where Splunk itself stores the data on S3 buckets.

And then you can do the analysis that you want right on Splunk. You can use tools like the Machine learning toolkit (https://www.splunk.com/en_us/software/splunk-enterprise/machine-learning.html ) and you can also have your own Python tools and scripts that you can use.

This way you will require less storage and you don't have to right your own script that sends data to the cloud.

https://docs.splunk.com/Documentation/Splunk/8.2.6/Indexer/AboutSmartStore 

 

Which approach to choose depends on:

  • how much data you want to store on S3
  • what kind of analysis you want to do
  • is there any business requirement
  • etc

 

I hope this helps!!! Karma/upvote would be appreciated!!!

0 Karma
Reply

danilreddy
Loves-to-Learn Everything
‎05-11-2022 06:31 AM

@VatsalJagani 

Thanks for the prompt response. I got some understanding going through your inputs.

But I could not able to find how to forward the parsed index data with schema.

When I tried sendCookedData to true, it sends the data in un-readable format.

Please let me know if there is way to forward the structured parsed data to third party system.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎05-11-2022 10:16 AM

@danilreddy - Splunk-cooked data can only be understand by Splunk.

 

You want to send data to third-party system (S3 buckets here), you can use this document to send data on Syslog, this will send data as read by Splunk not in the same format as you can see on Splunk.

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd 

 

0 Karma
Reply

danilreddy
Loves-to-Learn Everything
‎05-11-2022 11:19 AM

@VatsalJagani  I tried this configuration. It sends the raw data and as you said cooked data is not in readable format. Thanks for your response.

 

Splunk Team:

I am researching for the option that sends the indexed data in json format. I am trying IndexAndForward and _Index_and_forward_routing etc configurations but I am unable to succeed,

Can I get simple tutorial that explains Index and forward usecase.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎05-11-2022 12:21 PM

@danilreddy - Index and forward are just the cooked data forwarding. 

With just that it will also index data locally on the Splunk forwarder.

Useful when you want to clone the same data to two different Splunk instance/cluster.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...