1) A -> B
This will be your normal splunk configuration that will forward data from server A to splunk server B
2) B -> C
To Send data from splunk server B to server C do the following;
Create a shell script with splunk CLI search redirecting data to a data file.
SCP the file to server C
Example of steps in the shell will be;
$SPLUNK_HOME/bin/splunk search 'index=* search string' -earliest_time='-1d' -latest_time='now' > datafile
scp ./datafile user@server:/path/
Let me know if that works for you.
Regards
Sinclair
... View more
Just an alternative, you can use lookup table.
Lookup table has back end as a csv file. You can update the csv (lookup table) from the query.
But I guess your request is to use the csv from local machine, it will be difficult;
1) It will require authentication
2) Data will not be consistent across users in the organization as they will not be able to get the results that you can see (if there are more than 1 users of splunk).
... View more
This issue is generally when you have generalized a path to monitor.
Example [monitor:///var/logs/*]
This causes the issue. I had faced the same when we had added a generalized path (for oracle logs) the splunkd process was taking up heavy memory.
After changing path to specific log file to be monitored the memory usage settled down.
Example : [monitor:///var/log/messages]
Give it a go, hope it helps.
... View more
Hi Shailesh,
Apologize I did not get your question.
You can also do it by using splunk scheduler or alerting mechanism.
When you generate an alert a CSV file is generated at back-end with results, you can use that and scp it to the server where you want to place it by executing a script.
(When setting up alerting you have an option to execute a script.)
Regards
Sinclair
... View more
Following is high level flow;
Splunk Forwarder -> Indexer -> Search Head
Splunk requires splunk forwarder agent (Universal Forwarder / Splunk Light Forwarder / Splunk Heavy Forwarder) to forward data to the splunk indexers from the servers.
eg : you forward logs (/var/log/messages) from your test_server to splunk indexer
The data is forwarded on the receiving port you set on the indexers (by default it is 9997).
Search Head is the central querying hub which will pull data from one or many indexers.
I am not sure why you are trying to send event from splunk servers to the RHEL box, it should be other way round.
... View more
Use following template for querying
"some search" | inputlookup append=t test_lookup_table | "what you want to add to the lookup table" | outputlookup test_lookup_table
... View more