search
githubEdit

Splunk Heavy Forwarder

Configuring Splunk Heavy Forwarder to send data to Apica Ascent

hashtag
Splunk Raw mode

circle-info

Splunk heavy forwarders support forwarding raw data as it is collected as well in Splunk's proprietary protocol S2S. Apica Ascent can directly ingest from Splunk heavy forwarder in raw mode that does not use proprietary S2S protocol.

Splunk Heavy Forwarder can be configured to send raw TCP data to Apica Ascent. To enable forwarding to Apica Ascent edit $SPLUNK_HOME/etc/system/local/outputs.conf file and enable TCP forwarding.

[tcpout]
disabled = false 
defaultGroup = logiq

[tcpout:logiq]
server = <ascent_instance>:<ascent_raw_port>
sendCookedData=false
negotiateProtocolLevel = 0

hashtag
Syslog

hashtag
outputs.conf

[syslog]
defaultGroup = forwarders_ascent_syslog

[syslog:forwarders_ascent_syslog]
server = <ascent_instance>:<ascent_syslog_port>

hashtag
RFS:S3

Apica Ascent also fronts an S3 compatible protocol port where Splunk Heavy Forwarders can directly forward data using rfs:s3 output specification. Example is below

hashtag
outputs.conf

hashtag
Splunk Cooked mode

Apica Ascent can ingest data from splunk forwarders in Cooked mode as well. You can create a S2S Ingest app extension to directly ingest data from Splunk universal forwarder and Heavy forwarder in cooked mode.

circle-check

Logs/Events/Metrics can be ingested into Apica Ascent using cooked mode

Go to "Explore" -> "App Extensions" and create your S2S Ingest app extension

S2S Cooked mode plugin
circle-check

Multiple S2s Ingest extensions can be running simultaneously

PreviousSplunk Universal ForwarderNextSNMP

Last updated

Was this helpful?