Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to forward indexed data to RSA NetWitness?

Bakerton
New Member
‎02-13-2020 07:07 AM

So I will start with the details of my setup. I am running a single server instance on a network of ~300 endpoints. All of my systems are forwarding to a total of 4 indexes currently. I am using Splunk (currently 7.2.6) strictly for audit collection and review.

We have a requirement to send our audit data to our client for their collection requirements as this system is here to support our business with them. They are using RSA's NetWitness and want the data converted to syslog format over UDP.

I have seen a few write-ups on this out there but I feel like they do not fit my situation close enough to trust them. So how do I send the data in the 4 relevant indexes to them in syslog format from my Splunk Enterprise server? Also, how do I set a limit on how much and how fast this forwarding would take place? I don't want to kill bandwidth just so they can warehouse data I am already storing.

Thanks!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...