How to move events between Splunk instances withou...

wegscd · ‎12-11-2015

Is there a good way to move events between Splunk instances (besides moving entire buckets)?

I'm working on some dashboards with someone outside our enterprise, so them accessing our indexers is not a possibility. I've tried do a search to extract the test data, use the table command to show the _time and _raw fields, and export that as a CSV.

That works for some stuff, but the import fails if the events are multiline.

Moving entire buckets is not a good solution: there is a lot of data in that index that is irrelevant to the recipient.

Lucas_K · ‎12-13-2015

Do you have network connectivity to forward the events as udp?

You could use the cef app (with a custom udp mod).

Make a relevant search that matches the events you want to forward to your 3rd party.
Add that into a data model.
Create your cef rule.
Modify it as udp.
Forward udp to 3rd party.

fyi, udp is used as you can bypass creation of the cef field translation and send out raw events.

hortonew · ‎12-11-2015

You could try the steps here: https://answers.splunk.com/answers/25174/how-to-export-import-events-from-indexes.html

It's an older post, so please report back if it still works.

How to move events between Splunk instances without moving entire buckets?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...