Refine your search:

Splunk Real-Time Output

2 ratings

Thanks For Downloading!

Review the documentation below and follow any custom installation steps. If no install steps are listed, most Splunk Apps and Add-ons can be installed as follows:

Windows: Decompress the downloaded file using a tool like 7-Zip and place the resulting folder into %PROGRAMFILES%\Splunk\etc\apps. Then restart Splunk using the splunk restart command or the GUI.

Unix/Linux: Decompress the downloaded file using a tool like tar -xvf and place the resulting folder into $SPLUNK_HOME/etc/apps. Then restart Splunk using the splunk restart command or the GUI.

Description

Use this app to take the results of a real-time search, reformat them, and send them on to a file or third party device.

Requirements

The Splunk Real-Time Output (Beta) app requires the following:

  • Splunk
    • version 4.3 or higher
    • search head running Linux, Windows, or Mac OS X
  • Browser
    • latest versions of FireFox, Safari, Chrome, Internet Explorer

Features

Real-Time Outputs

  • Create a real-time output that takes the results of the search you specify, reformats it in key=value or CEF format, and forwards it on to:
    • local appended log files in $SPLUNK_HOME/var/log/rtouput
    • local or remote TCP or UDP syslog devices

Output Search Assistant

  • Use the Output Search Assistant to map Splunk fields to their CEF counterparts, or specify static CEF values, all through the magic of drag and drop

Getting Started

To get started with the Splunk Real-Time Output (Beta) app, download the app from Splunkbase and then restart Splunk.

IMPORTANT

  • Splunk Real-Time Output (Beta) app is provided on an as-is basis, and is to be considered a community-supported add-on
  • Splunk Real-Time Output (Beta) app is intended for use by Splunk admins only, and is explicitly not intended for use by non-admin users

Getting Support

If you have a question about or problem with the app or have a suggestion for a future version, please use the "Ask a question" link rather than asking it in the review section below. The review section should be used to review the app and not to request support.

Known Issues

  • Some strange behavior has been reported in the Output Assistant when using multi-value search commands such as mvindex()

Changelog

  • 1.0 Beta
    • initial public Beta
  • 1.0.1 Beta
    • don't log metrics event if no events were parsed from stream
    • grab more data from socket when select() informs us that the socket has data
  • 1.0.2 Beta
    • fixed issue which caused some fields to be excluded from the the output

Versions and Release Notes

Version 1.0.2 Beta (current version - updated Mar 29, 2013)
release notes:

Fixed issue where fields were missing from the output

show older versions »
Version 1.0 Beta (updated Mar 29, 2013)
release notes:

Initial release

Version 1.0.1 Beta (updated May 21, 2012)
release notes:

* receive more data each time select() tells us that there is data in the socket
* don't log metrics event if no events were parsed

posted 14 May '12, 23:48

araitz's gravatar image

araitz ♦
7.9k3925
accept rate: 46%

new version 29 Mar, 11:29

0 Reviews:
0 reviews, 2 ratings, average 5.0
Be the first one to review!

Did you find this app useful?

Preview toggle preview

Copyright © 2005-2012 Splunk Inc. All rights reserved.