|
I've read http://www.splunk.com/base/Documentation/latest/Deploy/Forwarddatatothird-partysystemsd And this looks possible, although with limitations. I'm particularly thinking of forwarding to an existing ArcSight Logger instance. Has any one tried this, and what were their experiences? Also how would licensing and support work in this model. |
|
We have people doing this, and as long as the data is sent out in a syslog format, things should work without an issue. There shouldn't really be any limitations, we should be able to send out anything we've indexed with the rawdata contained within the event. What kind of limitations were you concerned about? I haven't done this myself, so I can't speak to direct experiences, but I have spoken with people who have done this. Licensing counts data which has been indexed by Splunk. What happens when that data is sent to a third party isn't going to affect the license as the data was already written to an index within Splunk. You don't need any additional licensing to implement this functionality. Support won't be affected in any way, but it ends where the data leaves the Indexer. Thank you for the prompt answer, From what you have said are we only able to forward log data from an indexer and not directly from a forwarder (without an indexer)? If we can send data from a Splunk forwarder directly to ArcSight how is licensing / support impacted.
(19 Jul '11, 01:11)
splunkwelham...
Well, you could do it from a heavy forwarder, because data is parsed there, but only after it has been indexed. That means you'd need to have an index configured and would be using licensing volume. There isn't a way to do this without having the data indexed. Again, nothing here that affects support, but your licensing will be impacted.
(19 Jul '11, 08:22)
jbsplunk ♦
|
