Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Forward indexed logs to 3rd Party System from Indexers via REST API or any other method

warsaw
Loves-to-Learn Lots
‎04-19-2021 04:35 AM

We have indexers and Universal Forwarders and no Heavy Forwarders in use, i know UF cannot send parsed data to any external system it can only send uncooked data and all of them , but can the indexers send the parsed logs(only specific e.g. from windows index) to external system, maybe through REST API or syslog or any other mechanism?

the sequence would be like this : UF>>Indexers>>External System.

0 Karma
Reply

aasabatini
Motivator
‎04-19-2021 04:40 AM

Hi @warsaw 

 

yes you can route your data on third system native based on syslog.

check this page  under "Replicate a subset of data to a third-party system"

https://docs.splunk.com/Documentation/Splunk/8.1.3/Forwarding/Routeandfilterdatad

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply

warsaw
Loves-to-Learn Lots
‎04-19-2021 04:44 AM

@aasabatini yes i'd checked this already, this shows how to route cooked logs from HF to indexer and raw to external system, not cooked data from indexer to external system.

0 Karma
Reply

aasabatini
Motivator
‎04-19-2021 04:59 AM

Hi @warsaw 

 

yes you can route your data from your indexer specify the all condition on the outputs.conf

for example if you want index a syslog source and forward from indexer you need to specify on your stanza this.

[indexAndForward]
index=true
selectiveIndexing=true

Also on your forwarder if you want manage your source you need to specify  the inputs stanza.

[input_stanza]
_INDEX_AND_FORWARD_ROUTING=<any_string>

I hope this link can help

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf#IndexAndForward_Processor-----

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Reply

warsaw
Loves-to-Learn Lots
‎04-19-2021 11:57 PM

I see this is available for only heavy forwarders.

indexAndForward = <boolean>
* Set to "true" to index all data locally, in addition to forwarding it.
* This is known as an "index-and-forward" configuration.
* This setting is only available for heavy forwarders.
* This setting is only available at the top level [tcpout] stanza. It
  cannot be overridden in a target group.
* Default: false

 

0 Karma
Reply

aasabatini
Motivator
‎04-20-2021 04:01 AM

Hi @warsaw 

the 

indexAndForward

stanza works for all splunk roles.

check this answer is more similar on your case.

https://community.splunk.com/t5/Getting-Data-In/How-to-index-all-locally-and-forward-specific-source...

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...