Documentation > Splunk > Admin Manual > How to forward Splunk data to non-Splunk systems

Admin Manual

 


Overview
Setting Up Data Inputs
Authentication
Changing the Way Splunk Processes Your Data
Creating and Using Configuration Bundles
Configuring Your Sources
Splunk-2-Splunk Management
Integration
Managing Your Filesystem
How-To's

How to forward Splunk data to non-Splunk systems

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

How to forward Splunk data to non-Splunk systems

Splunk can forward a copy of the data that it's indexing to non-Splunk systems that are listening on any network port.


To do this, enable forwarding using Splunk-2-Splunk. See How to Configure Forwarding for instructions. Instead of a Splunk Server's IP address or DNS name and port, specify the host and port where the other system is listening.


However, before you restart, you will need to make one manual addition to Splunk's TCP forwarding configuration file.


# vi splunk/etc/modules/output/TCP/config.xml

Put <sendCookedData>false</sendCookedData> just above the <uri> tag in this file, like this: 


<?xml version="1.0"?>
<module>
   <pipeline name="tcp-output-generic-pipeline" type="startup">
      <processor name="outboundIn" plugin="queueinputprocessor">
         <config>
            <queueName>tcp-output-generic</queueName>
         </config>
      </processor>
      <processor name="thruput" plugin="thruputprocessor">
         <config>
            <key>_raw</key>
            <timeIntervalSecs>30</timeIntervalSecs>
         </config>
      </processor>
      <processor name="outboundTCP-localhost-port-9700" plugin="tcpoutputprocessor">
         <config>
            <sendCookedData>false</sendCookedData>
            <uri>localhost:9700</uri>
            <maxNumberOfRetriesAtHighestBackoff>0</maxNumberOfRetriesAtHighestBackoff>
            <initialBackoff>1</initialBackoff>
            <maxBackoff>20</maxBackoff>
            <backoffAtStartup>5</backoffAtStartup>
            <usePersistentQueue>true</usePersistentQueue>
            <blockOnQueueFull>false</blockOnQueueFull>
         </config>
      </processor>
      <processor name="sendOut" plugin="queueoutputprocessor">
         <config>
            <queueName>indexQueue</queueName>
         </config>
      </processor>
   </pipeline>
</module>

If you want to capture the data to a file instead of forwarding it to a network port, you can use netcat in your shell to capture the data to a file.


For example, if you're forwarding to a destination port of 9800, this will capture a copy of Splunk's data to a file named "logcapture.txt."


# nc -l -p 9800 > logcapture.txt

Retrieved from "http://docs.splunk.com/Documentation/Splunk/2.2.6/Admin/HowToForwardSplunkDataToNonSplunkSystems"

This documentation applies to the following versions of Splunk: 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.