Documentation > Splunk > Admin Manual > Route data to third-party systems

Admin Manual

 


About the Splunk Admin Manual
How Splunk Works
Getting Started
Data Inputs
Data Distribution
Indexing
Timestamps
Fields
Hosts
Source Types
Event Types
Transaction Types
Search
Distributed Search
Alerts
Security
Data Management
Deployment Server
Performance Tuning
Configuration Files
Applications
Reference
Troubleshooting

Route data to third-party systems

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Route data to third-party systems

Splunk can be configured to route data to non-Splunk systems. To do this, configure a Splunk server to send raw data over TCP to a server and port via outputs.conf. The receiving server should be expecting to receive the data stream on that port.

Additionally, enable conditional routing with props.conf and transforms.conf to be more specific about which data gets routed to third party systems.


Configuration

To configure data routing, you need to edit props.conf, transforms.conf, and outputs.conf. These files are located in $SPLUNK_HOME/etc/system/local/ on the Splunk server.

Note: If these files are not located in $SPLUNK_HOME/etc/system/local/, copy them from $SPLUNK_HOME/etc/system/default/.

In props.conf, specify the host, source, or source type of your data stream. Specify a transform to perform on the input.

In transforms.conf, define the transforms and specify the TCP_ROUTING to apply. You can also use REGEX if you wish to be more selective on the input.

In outputs.conf:

Note: List any single server as a part of a target group or default group to send data. Read more about configuring target groups in outputs.conf.


Example

Send a subset of data

This example shows how to forward a subset of your data from Splunk.

1. First, edit props.conf and transforms.conf to specify which data to send to the non-Splunk system.

In props.conf, apply the bigmoney transform to all hostnames beginning with nyc: 

[host::nyc*]
TRANSFORMS-nyc = bigmoney

In transforms.conf, set the TCP routing to a group that has the default TCP group and the non-Splunk server group. 


[bigmoney]
DEST_KEY=_TCP_ROUTING
FORMAT=bigmoneyreader

2. Next, define the target groups in outputs.conf: 

[tcpout]
defaultGroup = default-clone-group-192_168_1_104_9997
[tcpout:default-clone-group-192_168_1_104_9997]
disabled = false
server = 192.168.1.104:9997
[tcpout:bigmoneyreader]
disabled = false
server=10.1.1.197:7999
sendCookedData=false

Send all data

This example shows how to forward all of your data from Splunk.

Since you are sending all of your data simply edit outputs.conf to specify that all data will be sent to the non-Splunk system. 

[tcpout]
defaultGroup = fastlane
disabled = false
indexAndForward = true
[tcpout:fastlane]
disabled = false
server = 10.1.1.35:6996
sendCookedData = false
Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.4.11/Admin/RouteDataToThirdpartySystems"

This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!