Topics

| pdf version

About the Splunk Admin Manual

How Splunk Works

Getting Started

Data Inputs

Data Distribution

Indexing

Timestamps

Fields

Hosts

Source Types

Event Types

Transaction Types

Search

Distributed Search

Alerts

Security

Data Management

Deployment Server

Performance Tuning

Configuration Files

Applications

Reference

Troubleshooting


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Route data to third-party systems

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13

Route data to third-party systems

Splunk can be configured to route data to non-Splunk systems. To do this, configure a Splunk server to send raw data over TCP to a server and port via outputs.conf. The receiving server should be expecting to receive the data stream on that port.

Additionally, enable conditional routing with props.conf and transforms.conf to be more specific about which data gets routed to third party systems.


Configuration

To configure data routing, you need to edit props.conf, transforms.conf, and outputs.conf. These files are located in $SPLUNK_HOME/etc/system/local/ on the Splunk server.

Note: If these files are not located in $SPLUNK_HOME/etc/system/local/, copy them from $SPLUNK_HOME/etc/system/default/.

In props.conf, specify the host, source, or source type of your data stream. Specify a transform to perform on the input.

In transforms.conf, define the transforms and specify the TCP_ROUTING to apply. You can also use REGEX if you wish to be more selective on the input.

In outputs.conf:

  • Define the target groups that will receive the data.
  • Specify the IP address and TCP port, $IP:$PORT , for the third party system to receive data.
  • Set sendCookedData to false so that your Splunk server forwards raw data.

Note: List any single server as a part of a target group or default group to send data. Read more about configuring target groups in outputs.conf.


Example

Send a subset of data

This example shows how to forward a subset of your data from Splunk.

1. First, edit props.conf and transforms.conf to specify which data to send to the non-Splunk system.

In props.conf, apply the bigmoney transform to all hostnames beginning with nyc: 

[host::nyc*]
TRANSFORMS-nyc = bigmoney

In transforms.conf, set the TCP routing to a group that has the default TCP group and the non-Splunk server group. 


[bigmoney]
DEST_KEY=_TCP_ROUTING
FORMAT=bigmoneyreader

2. Next, define the target groups in outputs.conf: 

[tcpout]
defaultGroup = default-clone-group-192_168_1_104_9997
[tcpout:default-clone-group-192_168_1_104_9997]
disabled = false
server = 192.168.1.104:9997
[tcpout:bigmoneyreader]
disabled = false
server=10.1.1.197:7999
sendCookedData=false

Send all data

This example shows how to forward all of your data from Splunk.

Since you are sending all of your data simply edit outputs.conf to specify that all data will be sent to the non-Splunk system. 

[tcpout]
defaultGroup = fastlane
disabled = false
indexAndForward = true
[tcpout:fastlane]
disabled = false
server = 10.1.1.35:6996
sendCookedData = false
Retrieved from "http://www.splunk.com/base/Documentation/3.3.3/Admin/RouteDataToThirdpartySystems"
Revision: 207 Contact Privacy Policy Terms of Use Community content licensed under Creative Commons

Copyright © 2005-2010 Splunk Inc. All rights reserved.