All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can forward logs to third party server from HF over HTTP

sudha_krish
New Member
a week ago

I want to forward the logs to third party server from heavy forwarder over http.
Here is my outputs.conf

[httpout]
defaultGroup = otel_hec_group

[httpout:otel_hec_group]
#server = thirdparty_server:8443
uri = http://thirdparty_server:8443
useSSL = false
sourcetype = hf_to_otel
disabled = false
sslVerifyServerCert = false
headers = {"Host": "hf_server", "Content-Type": "application/json"}
timeout = 30


but i don't receive logs in third party server and i don't find any error in splunkd logs aswell.


@SplunkSE 

Labels (1)
Labels
0 Karma
Reply

livehybrid
Super Champion
a week ago

Hi @sudha_krish 

httpout sends Splunk2Splunk (S2S) data but over HTTP (HEC) rather than typical S2S port 9997, is this what you are trying to achieve? 

It is intended that this is used when you are not able to send data to a remote Splunk instance using typical S2S. 

As @gcusello has said, if you want to send to a non-Splunk system you should look into using syslog output which will send the raw data rather than Splunk-parsed S2S data.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
a week ago

That's not exactly right.

The httpout uses the same port as "ordinary" HEC input and uses the same token-based authorization but the data is sent using a S2S-over-HTTP protocol. It's not the same as normal /event endpoint uses. So while you indeed can use it in situations when normal "unknown" protocol connectivity is disallowed so that you can leverage HTTP proxy support and such, it's in no way a standard HTTP POST-based data pushing method.

So the answer to @sudha_krish is no - you can't use httpout output to send data out to a non-Splunk HTTP server. BTW, there is no "headers" parameter for any Splunk outputs, let alone httpout one.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
a week ago

Hi @sudha_krish ,

I'm not sure that's possible to forward logs to a third party using http, the usual way is syslog as described at https://docs.splunk.com/Documentation/SplunkCloud/9.3.2411/Forwarding/Forwarddatatothird-partysystem...

Anyway, http requires to use a token, did you created a token in the receiver? did you enabled it? did you passed it ot your output'

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...