Is there anyway to push data from Elasticsearch or...

ant_ony10 · ‎02-25-2016

Hi,

We have 2 separate stacks
1) Splunk forwarder with Splunk
2) ELK stack
We want to understand if there is any way to push the data from Elasticsearch or Logstash to Splunk.

larmesto · ‎09-25-2018

This might be helpful for anyone visiting; I have started working on an addon for Elasticsearch instances, feel free to use it!
https://splunkbase.splunk.com/app/4175/

kace · ‎05-17-2018

I've been researching this question myself, and the best I can tell from doc.s there is no mechanism to push all data from Elasticsearch to another destination. ... However, having worked with Logstash before, I can say that it would definitely support sending all data to a second destination -- and with special handling (filtering, transformation, etc.) if you desired. Search "logstash output-plugins" and you should find what you need.

dkeesling · ‎12-21-2016

Can you install a Splunk forwarder on Elastic Search server?

Then monitor the location of the logs.

Just add this to /SplunkForwarderHome/etc/system/local/inputs.conf

# Example of forwarder /inputs.conf

[default]
host = yourelastichostname

# Main Logstashlogs are written to /LS_HOME/logs/[cluster_name].log
[monitor:///var/log/logstash/*.log]
index=logstash
sourcetype=logstash

# Main Elasticsearch logs are written to /ES_HOME/logs/[cluster_name].log
[monitor:///var/log/elastic/*.log]
index=elastic
sourcetype=elastic


# Folder might be called log not logs Example
# /var/log/elasticsearch.log
# /var/log/elasticsearch-access.log
# /var/log/elasticsearch_deprecation.log

Just make sure to check the location of the log - add the config.
Then restart the forwarder.
Profit

Good luck

DaddyRat · ‎12-02-2016

Would love to know if anyone has found an answer for this. Same situation here...using ELK for logging and want to forward logs from the ELK Syslog NG servers to Splunk. No problems getting the data to Splunk, but since we want to use Splunk as the SIEM (for monitoring), it's got to be in a very specific format. Usually the Splunk universal forwarders put the data into this format, but we're trying to get the info to Splunk (in a format usable for the SIEM) without having to load the Splunk UF onto every device to be monitored. Has anyone been successful at this?

robertlynch2020 · ‎01-10-2018

Did you get n answer to this? I have the same situation.

nickstone · ‎02-26-2016

I have always wondered if there would ever be an app like DBx that would allow you to connect into an Elastic cluster for searching, but I'm not sure how Splunk would feel about that considering it's license model...

Many times have I needed something to "filter" all the noise, but I've had a requirement to still keep the noise.

s2_splunk · ‎02-25-2016

See if this post helps.

ant_ony10 · ‎02-26-2016

No we want these 2 stack will be separated.I want is there any way to get the data from elasticsearch from Splunk .

alacercogitatus · ‎02-26-2016

So you want to be able to use the SPL Search bar to search elastic search peers? Is that correct?

ant_ony10 · ‎02-25-2016

On top of that Splunk will be used for Monitoring and alerting while ELK is used for debugging.

robertlynch2020 · ‎01-10-2018

Hi.

Did you get an answer for this. I have the same issue.

Thanks
Robert Lynch

Is there anyway to push data from Elasticsearch or Logstash to Splunk?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms