The forwarder sends the data through a separate output processor. You can configure a heavy forwarder to send data in standard syslog format. Note: If you want to forward only the data specifically identified in nf and nf, set defaultGroup=nothing. It will send data from all other hosts to the server specified in the default-clone-group-192_168_1_104_9997 target group. The forwarder will send all data from host names beginning with nyc to the non-Splunk server specified in the bigmoneyreader target group. In nf, define both a bigmoneyreader target group for the non-Splunk server and a default target group to receive any other data:ĭefaultGroup = default-clone-group-192_168_1_104_9997 In nf, configure the bigmoney transform to specify TCP_ROUTING as the DEST_KEY and the bigmoneyreader target group as the FORMAT:Ģ. In nf, apply the bigmoney transform to all host names beginning with nyc: Edit nf and nf to specify the filtering criteria. Light and universal forwarders cannot route or filter data.ġ. This example shows how to use a heavy forwarder to filter a subset of data and send the subset to a third-party system. Since you are sending all the data, you only need to edit nf: This example shows how to send all the data from a forwarder to a third-party system. You can also use regular expressions to further filter the data. In nf, define the transform and specify _TCP_ROUTING.Specify a transform to perform on the input. In nf, specify the host, source, or sourcetype of your data stream.To route and filter the data on heavy forwarders only, also edit nf and nf: Set sendCookedData to false, so that the forwarder sends raw data.Specify the IP address and TCP port for each receiving server.Specify target groups for the receiving servers.Edit nf to determine where to route the data based on what you configured in nf. Edit nf to determine what data to route.Ĥ. To route the data, you must use a heavy forwarder, which has the ability to parse data.ģ. Edit nf to specify the receiving host and port. Configure the third party receiving host to expect incoming data on a TCP port.Ģ. You can use any kind of forwarder, such as a universal forwarder, to forward TCP data to a third-party system:ġ. For information about the other export methods available to you, see Export search results in the Search Manual. You can also use regular expressions to further qualify the data.ĭata forwarding to third-party systems is one of several search result export methods that Splunk software offers. You can filter the data by host, source, or source type. Because they are forwarding to a non-Splunk system, they can send only raw data.īy editing nf, nf, and nf, you can configure a heavy forwarder to route data conditionally to third-party systems, in the same way that it routes data conditionally to other Splunk instances. Splunk forwarders can forward raw data to non-Splunk systems over a plain TCP socket or packaged in standard syslog.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |