Is it possible to forward data to third-party syst...

tulinski · ‎04-26-2017

Is it possible to forward cooked parsed data (containing all fields) in json format to some external TCP end-point (using Heavy Forwarder)?
I found that it is possible to send cooked data, but I couldn't find specs for this format, is it possible to use this kind of data in external TCP end-points or it is Splunk internal format, which shouldn't be used outside of Splunk? According to docs in case of Heavy Forwarder these cooked data should be parsed. I am wondering what rules are used in process of parsing events by Heavy Forwarder? How does it know what fields should it look for in raw data?

jamesbrock · ‎04-26-2017

you can send raw logs using outputs.conf "sendCookedData"

outputs.conf
sendCookedData=false

tulinski · ‎04-27-2017

I assume you mean I cannot achieve what I want. I'd like to setup forwarder to send messages containing all fields (like they were indexed). I thought maybe it is possible as forwarder has an option indexAndForward.

vsingla1 · ‎09-27-2018

@tulinski Did you ever find a way to send splunk cooked data to third-party systems?

schitra15 · ‎12-05-2019

Hi. Did you find a solution to get indexed data out of splunk to a third party system?

Is it possible to forward data to third-party systems in other formats than syslog and raw?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor