Welcome to Splunk administration

What to do first

Use Splunk Web

Meet Splunk apps

Configure Splunk

Indexing with Splunk

Add data and configure inputs

Set up forwarding and receiving

Configure event processing

Configure event timestamping

Configure indexed field extraction

Manage users

Manage indexes

Define alerts

Set up backups and retention policies

Configure data security

Deploy to other Splunk instances

Set up distributed search

Manage search jobs

Use Splunk's command line interface (CLI)

Troubleshooting

Forward data to third-party systems

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

TCP data
Edit the configuration files
Forward all data
Forward a subset of data
Syslog data
Forward syslog data
Send a subset of data to a syslog server

Forward data to third-party systems

Splunk can forward raw data to non-Splunk systems. It can send the data over a plain TCP socket or packaged in standard syslog. Because it is forwarding to a non-Splunk system, it can send only raw data.

By editing props.conf and transforms.conf, you can configure the forwarder to route data conditionally to third-party systems, in the same way that it routes data conditionally to other Splunk instances. You can filter the data by host, source, or sourcetype. You can also use regex to further qualify the data.

TCP data

To forward TCP data to a third-party system, edit the forwarder's outputs.conf file to specify the receiving server and port. You must also configure the receiving server to expect the incoming data stream on that port.

To filter the data first, edit the forwarder's props.conf and transforms.conf files as well.

Edit the configuration files

To forward data, edit outputs.conf:

Specify target groups for the receiving servers.
Specify the IP address and TCP port for each receiving server.
Set sendCookedData to false, so that the forwarder sends raw data.

To filter the data, edit props.conf and transforms.conf:

In props.conf, specify the host, source, or sourcetype of your data stream. Specify a transform to perform on the input.
In transforms.conf, define the transform and specify _TCP_ROUTING. You can also use regex to further filter the data.

Forward all data

This example shows how to send all the data from a Splunk forwarder to a third-party system. Since you are sending all the data, you only need to edit outputs.conf:

[tcpout]
indexAndForward = true

[tcpout:fastlane]
server = 10.1.1.35:6996
sendCookedData = false

Forward a subset of data

This example shows how to filter a subset of data and send the subset to a third-party system:

1. Edit props.conf and transforms.conf to specify the filtering criteria.

In props.conf, apply the bigmoney transform to all host names beginning with nyc:

[host::nyc*]
TRANSFORMS-nyc = bigmoney

In transforms.conf, configure the bigmoney transform to specify TCP_ROUTING as the DEST_KEY and the bigmoneyreader target group as the FORMAT:

[bigmoney]
REGEX = .
DEST_KEY=_TCP_ROUTING
FORMAT=bigmoneyreader

2. In outputs.conf, define the bigmoneyreader target group for the non-Splunk server, as well as a default target group to receive any other data. If you want to forward only the data specifically identified in props.conf and transforms.conf, set defaultGroup=nothing:

[tcpout]
defaultGroup = default-clone-group-192_168_1_104_9997

[tcpout:default-clone-group-192_168_1_104_9997]
server = 192.168.1.104:9997

[tcpout:bigmoneyreader]
server=10.1.1.197:7999
sendCookedData=false

The forwarder will send all data from host names beginning with nyc to the non-Splunk server specified in the bigmoneyreader target group. It will send data from all other hosts to the server specified in the default-clone-group-192_168_1_104_9997 target group.

Syslog data

You can configure a forwarder to send data in standard syslog format. The forwarder sends the data through a separate output processor. You can also filter the data with props.conf and transforms.conf. You'll need to specify _SYSLOG_ROUTING as the DEST_KEY.

To forward syslog data, identify the third-party receiving server and specify it in a syslog target group in the forwarder's outputs.conf file.

Forward syslog data

The forwarder sends RFC 3164 compliant events to a TCP/UDP-based server and port, making the payload of any non-compliant data RFC 3164 compliant.

Note: If you have defined multiple event types for syslog data, the event type names must all include the string 'syslog'.

In outputs.conf, specify the syslog target group:

[syslog:<target_group>]
<attribute1> = <val1>
<attribute2> = <val2>
...

The target group stanza requires this attribute:

Required Attribute	Default	Value
server	n/a	This must be in the format `<ipaddress_or_servername>:<port>`. This is a combination of the IP address or servername of the syslog server and the port on which the syslog server is listening. Note that syslog servers use port 514 by default.

These attributes are optional:

Optional Attribute	Default	Value
type	udp	The transport protocol. Must be set to "tcp" or "udp".
priority	13, or 'Notice' severity, on the 'User' or generic facility.	Syslog priority. This must be a number between one and three digits in length. This value will appear in the syslog header. Compute <ddd> as (<facility> * 8) + <severity>. If facility is 4 (security/authorization messages) and severity is 2 (critical conditions), priority value will be: (4 * 8) + 2 = 34.
syslogSourceType	n/a	This must be in the format `sourcetype::syslog`, the sourcetype for syslog messages.
timestampformat	""	The format used when adding a timestamp to the header. This must be in the format: <%b %e %H:%M:%S>. See Configure timestamps in this manual for details.

Send a subset of data to a syslog server

This example shows how to configure Splunk to forward data from hosts whose names begin with "nyc" to a syslog server named "loghost.example.com" over port 514:

1. Edit props.conf and transforms.conf to specify the filtering criteria.

In props.conf, apply the send_to_syslog transform to all host names beginning with nyc:

[host::nyc*]
TRANSFORMS-nyc = send_to_syslog

In transforms.conf, configure the send_to_syslog transform to specify _SYSLOG_ROUTING as the DEST_KEY and the my_syslog_group target group as the FORMAT:

[send_to_syslog]
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group

2. In outputs.conf, define the my_syslog_group target group for the non-Splunk server:

[syslog:my_syslog_group]
server = loghost.example.com:514

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.1/Admin/Forwarddatatothird-partysystems"

« Clone data More about forwarders »

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.

Comments

Ssaleh: i'm not sure what you mean by 'new concept'--can you be more specific? for 4.2, this topic was moved into the Distributed Deployment manual: http://www.splunk.com/base/Documentation/4.2/Deploy/Forwarddatatothird-partysystemsd

in the future, you can select the product version you're using from the drop-down in the header bar and search for the content you're interested in.

Rachel

April 14, 2011

How about a link to the new concept? How does this change with 4.2? Where is the link? Not here.... so sad now.

Ssaleh

April 14, 2011

Was this topic useful?
Post a comment

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!

Admin Manual

Forward data to third-party systems

Contents

Forward data to third-party systems

TCP data

Edit the configuration files

Forward all data

Forward a subset of data

Syslog data

Forward syslog data

Send a subset of data to a syslog server

Comments