Hi,
We have 2 separate stacks
1) Splunk forwarder with Splunk
2) ELK stack
We want to understand if there is any way to push the data from Elasticsearch or Logstash to Splunk.
This might be helpful for anyone visiting; I have started working on an addon for Elasticsearch instances, feel free to use it!
https://splunkbase.splunk.com/app/4175/
I've been researching this question myself, and the best I can tell from doc.s there is no mechanism to push all data from Elasticsearch to another destination. ... However, having worked with Logstash before, I can say that it would definitely support sending all data to a second destination -- and with special handling (filtering, transformation, etc.) if you desired. Search "logstash output-plugins" and you should find what you need.
Can you install a Splunk forwarder on Elastic Search server?
Then monitor the location of the logs.
Just add this to /SplunkForwarderHome/etc/system/local/inputs.conf
# Example of forwarder /inputs.conf
[default]
host = yourelastichostname
# Main Logstashlogs are written to /LS_HOME/logs/[cluster_name].log
[monitor:///var/log/logstash/*.log]
index=logstash
sourcetype=logstash
# Main Elasticsearch logs are written to /ES_HOME/logs/[cluster_name].log
[monitor:///var/log/elastic/*.log]
index=elastic
sourcetype=elastic
# Folder might be called log not logs Example
# /var/log/elasticsearch.log
# /var/log/elasticsearch-access.log
# /var/log/elasticsearch_deprecation.log
Good luck
Would love to know if anyone has found an answer for this. Same situation here...using ELK for logging and want to forward logs from the ELK Syslog NG servers to Splunk. No problems getting the data to Splunk, but since we want to use Splunk as the SIEM (for monitoring), it's got to be in a very specific format. Usually the Splunk universal forwarders put the data into this format, but we're trying to get the info to Splunk (in a format usable for the SIEM) without having to load the Splunk UF onto every device to be monitored. Has anyone been successful at this?
Did you get n answer to this? I have the same situation.
I have always wondered if there would ever be an app like DBx that would allow you to connect into an Elastic cluster for searching, but I'm not sure how Splunk would feel about that considering it's license model...
Many times have I needed something to "filter" all the noise, but I've had a requirement to still keep the noise.
See if this post helps.
No we want these 2 stack will be separated.I want is there any way to get the data from elasticsearch from Splunk .
So you want to be able to use the SPL Search bar to search elastic search peers? Is that correct?
On top of that Splunk will be used for Monitoring and alerting while ELK is used for debugging.
Hi.
Did you get an answer for this. I have the same issue.
Thanks
Robert Lynch