How to forward indexed data to RSA NetWitness?

Splunk Search

So I will start with the details of my setup. I am running a single server instance on a network of ~300 endpoints. All of my systems are forwarding to a total of 4 indexes currently. I am using Splunk (currently 7.2.6) strictly for audit collection and review.

We have a requirement to send our audit data to our client for their collection requirements as this system is here to support our business with them. They are using RSA's NetWitness and want the data converted to syslog format over UDP.

I have seen a few write-ups on this out there but I feel like they do not fit my situation close enough to trust them. So how do I send the data in the 4 relevant indexes to them in syslog format from my Splunk Enterprise server? Also, how do I set a limit on how much and how fast this forwarding would take place? I don't want to kill bandwidth just so they can warehouse data I am already storing.

Thanks!

Get Updates on the Splunk Community!

How to forward indexed data to RSA NetWitness?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

How to forward indexed data to RSA NetWitness?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25