Solved: How to send Data from SPLUNK to Consumer in real t...

SplunkDash · ‎09-01-2022

Hello,

I have a few use cases to send data from SPLUNK to consumers in real time, and consumers have both Linux/Windows OS. Does SPLUNK has any options to do that? Or how would we do it? Any help will be highly appreciated. Thank you so much.

gcusello · ‎09-02-2022

Hi @SplunkDash,

in this case, see at https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Replicate_a_subse...

Ciao.

Giuseppe

View solution in original post

gcusello · ‎09-01-2022

Hi @SplunkDash,

what do you mea with "send data from SPLUNK to consumers in real time"?

if you mean forwarding all (or a part of) events via syslog or to anothe Splunk, it's possible, could you better describe your request?

Ciao.

Giuseppe

SplunkDash · ‎09-02-2022

Hello @gcusello

Thank you so much for you quick response. It is about to send events or part of the events SPLUNK receives as raw data either through syslog servers or UFs./HFs I need to send/forward those raw events (or processed data by SPLUNK from those raw events ) to other servers (not other SPLUNK) or other locations (don't have SPLUNK there). Thank you again.

gcusello · ‎09-02-2022

Hi @SplunkDash,

in this case, see at https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Replicate_a_subse...

Ciao.

Giuseppe

SplunkDash · ‎09-02-2022

Hello @gcusello ,

Thank you so much and it's really very resourceful on sending/forwarding data to third party (non SPLUNK) using HF. But, is there any ways third party machine/computer can pull data from SPLUNK to their machines. Thank you so much, greatly appreciate your support in these efforts.

PickleRick · ‎09-03-2022

In theory you could use API to constantly "pull" data from Splunk but there are some issues with that approach.

1) If you use real-time search, you're allocating one CPU on each indexer exclusively to your search.

2) If you want to do it by searching often for short batches of events - you will face problems with making sure you're not searching twice for the same events but on the other hand, don't miss any events. You will also have problems if some events are indexed out of order, especially with a significant delay.

Splunk isn't meant for such "streaming" events which are already indexed.

SplunkDash · ‎09-03-2022

Hello @PickleRick ,

Thank you so much. Those are very good points. But what are the optimal/possible solutions if we need to send/pull/forward data from SPLUNK to any other third party machines.

PickleRick · ‎09-03-2022

Honestly - I'd say "don't".

If you want to pull all data from a given index or set of indexes only to analyze it in an external tool to find something, do some stats and so on... that's what Splunk is for!

Just come up with a search that finds it for you and just run that search with API and only fetch the results.

That's the way to do it.

SplunkDash · ‎01-07-2023

@PickleRick

I submitted a question @ REST API to send Data to Third Party Server - Splunk Community

would be highly appreciated if you can join that discussion. Thank you!

gcusello · ‎09-02-2022

Hi @SplunkDash ,

the only way to permit to an external system to pull data from Splunk, you have to use Splunk APIs

I'm not an exper in Splunk APIs using, but you could useful help at https://dev.splunk.com/enterprise/reference/ and https://docs.splunk.com/Documentation/Splunk/9.0.1/RESTREF/RESTprolog

Ciao.

Giuseppe

How to send Data from SPLUNK to Consumer in real time?

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!