Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Forwarding data to third party from universal forwarder

jflaherty
Path Finder
‎07-18-2017 10:29 AM

Hello,

I currently have some Windows Servers with the Universal Forwarder installed that are sending data to our indexer. I am now in a situation where I need to have the forwarder also send the data to a third party server. According to the documentation, the following in outputs.conf should send all data;

[tcpout]

[tcpout:fastlane]
server = 10.1.1.2:1517
sendCookedData = false

However, I have the third party server getting data but only is receiving "INFO" type logs which appear to be transaction type information from the splunk forwarder program itself and not the actual log data (windows events iis etc.) that I am sending into splunk that I need.

Am I missing something or will the universal forwarder not send that data?

Thanks

0 Karma
Reply

ddrillic
Ultra Champion
‎08-09-2018 07:30 AM

We do the following -

In outputs.conf we specify multiple tcpout stanzas -

[tcpout:xxxxxx]
....


[tcpout:yyyyyy]
....

If you don't specify anything in inputs.conf all data will be streamed to both directions (or three if you choose to).

0 Karma
Reply

mdsnmss
SplunkTrust
SplunkTrust
‎07-18-2017 12:49 PM

Do you have a props.conf and transforms.conf configured to tell the forwarder what data to send? See: http://docs.splunk.com/Documentation/Splunk/6.6.2/Forwarding/Forwarddatatothird-partysystemsd

In props.conf:

 [<sourcetype/data to send>]
 TRANSFORMS-fastlane = fastlane

In transforms.conf

    [fastlane]
    REGEX = .
    DEST_KEY=_TCP_ROUTING
    FORMAT=fastlane

It might vary a bit for your configuration but the linked docs walk through it pretty well.

Reply

chakradhar_maje
New Member
‎08-08-2018 07:33 AM

How to check the data in third party server

0 Karma
Reply

jflaherty
Path Finder
‎07-18-2017 12:53 PM

I saw that in the documentation but it said it was for a heavy forwarder, I am using a Universal Forwarder. I will give it a try and see, it would allow me to separate better than the way I was doing it with the default group. Thansk

0 Karma
Reply

mdsnmss
SplunkTrust
SplunkTrust
‎07-18-2017 12:55 PM

Yep, you're right. I believe with a universal forwarder you can forward everything using what you just posted. Using a heavy forwarder you can selectively forward data to the third-party system.

0 Karma
Reply

jflaherty
Path Finder
‎07-18-2017 12:47 PM

Figured it out. I need to add the group fastlane to the tcpout default group;

[tcpout]
defaultGroup = default-autolb-group*, fastlane <--- Added*

Thanks

0 Karma
Reply

deepak453
New Member
‎08-09-2018 07:12 AM

Where you have added the below, Is the same in outputs.conf located in local directory? I am really a newbie in splunk, would like to know did you updated below as is.

[tcpout]
defaultGroup = default-autolb-group*, fastlane <--- Added*

0 Karma
Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...