Hello,
We are trying to send some data to a third party system that is hitting our indexers from Universal Forwarders, thus we can't send it via syslog as described here: http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Forwarddatatothird-partysystemsd because it is not going to Heavy Forwarders.
We have been trying to use Hadoop Connect to run a query to write the desired data to HDFS, but there are errors that cause the destination directory in HDFS to be cleaned up and all data is removed. For example, if the scheduled export search is to be performed every hour, the directory grows and grows, but after the hour is up all data is removed from that directory and it starts all over again. We have tried different intervals for export but nothing has worked. The errors we are getting revolve around "Reading errors while waiting for the indexers". We are trying to pull back ~30GB every hour and we suspect there to be an issue with Splunk keeping up with our search.
1) Any ideas of ways to make Hadoop Connect in this instance work or to debug it better?
2) Are there any alternatives to sending data to a third party system with this configuration?
Thanks.
... View more