Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I need to transfer the data from Splunk to a third party server (UDP port)

akd9
New Member
‎09-05-2017 11:16 PM

the configuration for tcp port is below but need to the same for udp port

Transforms:
[bigmoney]
REGEX = event
DEST_KEY=_TCP_ROUTING
FORMAT=bigmoneyreader

Props:
[host::machine name]
TRANSFORMS-filterHost = bigmoney

Outputs:
[tcpout]
defaultGroup = nothing

[tcpout:bigmoneyreader]
server=ipaddress:port
sendCookedData=false

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rphillips_splk
Splunk Employee
Splunk Employee
‎09-06-2017 09:52 AM

@niketn The syslog output processor supports udp you can use the example from our docs to configure this:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Forwarding/Forwarddatatothird-partysystemsd

Send a subset of data to a syslog server
This example shows how to configure a heavy forwarder to forward data from hosts whose names begin with "nyc" to a syslog server named "loghost.example.com" over port 514:

Edit props.conf and transforms.conf to specify the filtering criteria.

In props.conf, apply the send_to_syslog transform to all host names beginning with nyc:
[host::nyc*]
TRANSFORMS-nyc = send_to_syslog

In transforms.conf, configure the send_to_syslog transform to specify _SYSLOG_ROUTING as the DEST_KEY and the my_syslog_group target group as the FORMAT:
[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group

In outputs.conf, define the my_syslog_group target group for the non-Splunk server:

[syslog:my_syslog_group]
server = loghost.example.com:514
type = udp

View solution in original post

Reply
Solved! Jump to solution
Solution

rphillips_splk
Splunk Employee
Splunk Employee
‎09-06-2017 09:52 AM

@niketn The syslog output processor supports udp you can use the example from our docs to configure this:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Forwarding/Forwarddatatothird-partysystemsd

Send a subset of data to a syslog server
This example shows how to configure a heavy forwarder to forward data from hosts whose names begin with "nyc" to a syslog server named "loghost.example.com" over port 514:

Edit props.conf and transforms.conf to specify the filtering criteria.

In props.conf, apply the send_to_syslog transform to all host names beginning with nyc:
[host::nyc*]
TRANSFORMS-nyc = send_to_syslog

In transforms.conf, configure the send_to_syslog transform to specify _SYSLOG_ROUTING as the DEST_KEY and the my_syslog_group target group as the FORMAT:
[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group

In outputs.conf, define the my_syslog_group target group for the non-Splunk server:

[syslog:my_syslog_group]
server = loghost.example.com:514
type = udp

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...