Links

Splunk Heavy Forwarder

Configuring Splunk Heavy Forwarder to send data to LOGIQ

Raw mode ( not cooked )

Splunk heavy forwarders support forwarding raw data as it is collected as well in Splunk's proprietary protocol S2S. LOGIQ.AI can directly ingest from Splunk heavy forwarder in raw mode that does not use proprietary S2S protocol.
Splunk Heavy Forwarder can be configured to send raw TCP data to LOGIQ. To enable forwarding to LOGIQ edit $SPLUNK_HOME/etc/system/local/outputs.conf file and enable TCP forwarding.
[tcpout]
disabled = false
defaultGroup = logiq
[tcpout:logiq]
server = <logiq_instance>:<logiq raw port>
sendCookedData=false
negotiateProtocolLevel = 0

Syslog

outputs.conf

[syslog]
defaultGroup = forwarders_logiq_syslog
[syslog:forwarders_logiq_syslog]
server = <logiq_instance>:<logiq syslog_port>

RFS:S3

LOGIQ.AI also fronts an S3 compatible protocol port where Splunk Heavy Forwarders can directly forward data using rfs:s3 output specification. Example is below

outputs.conf

[rfs:s3]
batchSizeThresholdKB = 3072
batchTimeout = 1
compression = none
path = s3://lq/lq
remote.s3.access_key = <access key>
remote.s3.encryption = none
remote.s3.endpoint = <logiq s3 endpoint>
remote.s3.secret_key = <secret key>
remote.s3.signature_version = v2
remote.s3.supports_versioning = false
remote.s3.url_version = v1
remote.s3.auth_region = us-east-1