I am working on a POC third-party system for some of our data and need to get data from Splunk forwarded over to it.
I was looking through this link [http://docs.splunk.com/Documentation/Splunk/6.6.3/Forwarding/Forwarddatatothird-partysystemsd][1]
[1]: http://docs.splunk.com/Documentation/Splunk/6.6.3/Forwarding/Forwarddatatothird-partysystemsd
And was hoping someone might have done what I am trying to do.
We want to send all of our Windows & IIS logs from our forwarders to the third-party system as a syslog feed.
All of our forwarders currently send directly to our backend indexers (which are a set of 3 different indexer clusters).
From looking at that link, it seems like if I want to separate data (only some sourcetypes/indexes/etc) that is getting sent from the forwarders to the other location, I have to pass the data through a heavy forwarder. I want to avoid doing this because that would mean repointing all of our forwarders to go through the heavy forwarder.
Can the division of the data be done from the forwarders themselves? Or even by making a change on the indexer side to get the raw data over to the third-party through a syslog feed?
↧