For demo purposes, I plan to set up a single box (all-in-one) instance of Splunk and would like to configure Splunk such that all inputs that splunk ingests are stored in a local log file.
Is there an option in Splunk to log all of its raw input?
Or to forward it to another host:port?
Or if not, what would be the most straightforward programmatic direction for this?
Thanks!
The easiest way to preserve your syslog would be to send the data to a syslog server first (like rsyslog, syslog-ng) and then have a Splunk forwarder monitor those files. However, you can forward data from Splunk to another host.
http://docs.splunk.com/Documentation/Splunk/5.0.4/Deploy/Forwarddatatothird-partysystemsd
You could use our SDKs to pull the data out of Splunk as well.
dev.splunk.com
thank-you!