Splunk Universal Forwarder

Configuring Splunk Universal Forwarder to send data to Apica Ascent

Splunk Raw mode

Splunk universal forwarders support forwarding raw data as it is collected as well in Splunk's proprietary protocol S2S. Apica Ascent can directly ingest from Splunk UF in the raw mode that does not use proprietary S2S protocol.

Splunk Universal Forwarder can be configured to send raw TCP data to Apica Ascent. To enable forwarding to Apica Ascent edit $SPLUNK_HOME/etc/system/local/outputs.conf file and enable TCP forwarding.

[tcpout]
disabled = false 
defaultGroup = logiq

[tcpout:logiq]
server = <logiq_instance>:<raw port>
sendCookedData=false
negotiateProtocolLevel = 0

Splunk Cooked mode

Apica Ascent can ingest data from Splunk forwarders in cooked mode as well. You can create an S2S Ingest app extension to directly ingest data from Splunk universal forwarder and Heavy forwarder in cooked mode.

Logs/Events/Metrics can be ingested into Apica Ascent using cooked mode

Go to "Explore" -> "App Extensions" and create your S2S Ingest app extension

Multiple S2s Ingest extensions can be running simultaneously

PreviousSyslog-ngNextSplunk Heavy Forwarder

Last updated