Re: Splunk Forwarding

shaileshpawar21 · ‎04-18-2013

Hello, Can any one please tell me that, Whether splunk reads event from only splunk installed machine or non-splunk machine also ?
Also Please give me idea about forwarding mechanism of splunk.
and one more question is that, in which format splunk forwards events? whether it uses any binary format ? because when I was trying to forward events from splunk to RHEL machine it is forwarded in raw (0#) format. Is this the behavior of splunk or m I going wrong somewhere ?

Thanks In Advance.

sinclairmachado · ‎04-23-2013

Hi Shailesh,
Apologize I did not get your question.
You can also do it by using splunk scheduler or alerting mechanism.

When you generate an alert a CSV file is generated at back-end with results, you can use that and scp it to the server where you want to place it by executing a script.
(When setting up alerting you have an option to execute a script.)

Regards
Sinclair

sinclairmachado · ‎04-25-2013

1) A -> B
This will be your normal splunk configuration that will forward data from server A to splunk server B

2) B -> C
To Send data from splunk server B to server C do the following;
Create a shell script with splunk CLI search redirecting data to a data file.
SCP the file to server C

Example of steps in the shell will be;
$SPLUNK_HOME/bin/splunk search 'index=* search string' -earliest_time='-1d' -latest_time='now' > datafile
scp ./datafile user@server:/path/

Let me know if that works for you.

Regards
Sinclair

shaileshpawar21 · ‎04-24-2013

Thanks Sinclair,

Lets consider I have 3 machines A,B and C.
B is my splunk server. Now I want to receive events from machine A to splunk server B and then froward these events (which are stored in splunk server B) tothird machine C.
Please help in this scenario.

Thanks in advance

shaileshpawar21 · ‎04-21-2013

Thanks you for your response,
Actually I was trying to send events which was stored into splunk.
I want to read that event in non-splunk machine.
can you please help me in that?

Thanks

shaileshpawar21 · ‎04-21-2013

Thanks kristian,
Can you please tell me whole step by step process of receiving and forwarding events.
Actually I want to send RHEL events stored in splunk server to other non-splunk machine.
Please help me in that.

Thanks in advance

kristian_kolb · ‎04-21-2013

Have a look at;

http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Forwarddatatothird-partysystemsd

/k

sinclairmachado · ‎04-18-2013

Following is high level flow;
Splunk Forwarder -> Indexer -> Search Head

Splunk requires splunk forwarder agent (Universal Forwarder / Splunk Light Forwarder / Splunk Heavy Forwarder) to forward data to the splunk indexers from the servers.
eg : you forward logs (/var/log/messages) from your test_server to splunk indexer

The data is forwarded on the receiving port you set on the indexers (by default it is 9997).

Search Head is the central querying hub which will pull data from one or many indexers.

I am not sure why you are trying to send event from splunk servers to the RHEL box, it should be other way round.

Splunk Forwarding

Can’t make it to .conf25? Join us online!

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Customer success is front and center at .conf25

Are you a member of the Splunk Community?

Splunk Forwarding

Can’t make it to .conf25? Join us online!

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Customer success is front and center at .conf25