Getting Data In

How to forward data to a remote app from a Splunk instance that is currently both a search head and indexer?

arkadyz1
Builder

We have a well established Splunk app on an instance which is serving as a Search Head and an Indexer. However, there are some data there which needs to be forwarded to some other site, which hosts a different application. Some of the data comes from a modular input (receiving some TCP traffic), but there are others, like *hix TA, which we would also like to forward to that other app at a different site.

Is there any trick to do that? Any special settings I need to have in inputs.conf and outputs.conf to work properly and not disturb the main operation, which has quite a few indexes and wants its data locally?

0 Karma
1 Solution

muebel
SplunkTrust
SplunkTrust

Hi arkadyz1, You'll want to reference the documentation here : http://docs.splunk.com/Documentation/Splunk/6.4.2/Forwarding/Routeandfilterdatad

Please let me know if this helps!

View solution in original post

arkadyz1
Builder

Just to recap my experience, and as a word of caution to others who might read this question:

As soon as you define a forwarding server, the whole Splunk instance turns into a Heavy Forwarder, and everything, including the stuff normally going into _internal, gets forwarded (extremely counterintuitive to me). This is actually documented, but you might easily skip over that part if you search the docs for the specific instructions without reading the whole chapter.

So, what one needs in the case like mine:

  1. Enable selective forwarding. For that you need to add the following stanza somewhere among your outputs.conf files:

    [indexAndForward]
    index=true
    selectiveIndexing=true

  2. Mark each and every input you want to be kept locally (and yes, this includes the files listed in etc/system/default/inputs.conf) as such. Use _INDEX_AND_FORWARD_ROUTING property in the corresponding input stanza for that.

A simple but an error-prone procedure - it's easy to forget about an input you want to index locally.

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Can you review the documentation here and let us know if this doesn't give you the information you are looking for?

muebel
SplunkTrust
SplunkTrust

Hi arkadyz1, You'll want to reference the documentation here : http://docs.splunk.com/Documentation/Splunk/6.4.2/Forwarding/Routeandfilterdatad

Please let me know if this helps!

arkadyz1
Builder

Sorry I can't accept both answers - the links provided gave me all the info I needed. It's a non-trivial switch from universal forwarder's _TCP_ROUTING (in inputs.conf) to the heavy forwarder, with the info spread between four (!) files - inputs.conf, outputs.conf, props.conf and transforms.conf).

In addition, we need to rename the sourcetypes from Splunk_TA_nix - being an OEM, we are allowed only the sourcetypes from a predefined list. Is it best done on the receiving system?

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...