Splunk Forwarding #61
Comments
|
Hi, since Zircolite use Splunk HEC to forward events, I’ve considered that the index is declared when you create the HEC token (doc here). I think I can code something to provide the index directly from Zircolite but it has not been implemented for the reason explained above. |
Hi yes the index is declared but what if we want to parse data on multiple index automatically ? |
|
Could you clarify ? Do you mean you want to send all the data to multiple indexes ? |
To be clear with you. We use a python script that is filtering forensic case and executing zircolite from the script. The script is filling up the arguments for zircolite depending on the case. Each case on splunk have an index so we want to send different case data on different index on splunk automatically. I tried to modify the source code and tried to POC it for now. But i would love to have an answer from you about this. |
|
Working on it. |
I tried to modify the zircolite source code and i just added to the fowarding URL |
|
To be honest, I wasn't planning on doing much more complicated. |
Add the ability to specify the index when forwarding to splunk #61
|
Done (I hope) in #62 |
Really nice thanks |
Hey, There Is no possibility to fowards the event using --remote to a splunk specific index. Is there any way to do that with the --remote option ?
Thanks in advance
The text was updated successfully, but these errors were encountered: