Use Splunk Universal Forwarder to Graylog

Has anyone successfully used Splunk Universal Forwarder to send logs to a graylog server? I have experience with Splunk and (ideally) I don’t want to uninstall Splunk Universal Forwarder from all my nodes. I want to make changes to point the Universal Forwarder to my Graylog instance.

The Universal Forwarder uses HTTP to drop logs into Splunk, and Graylog has no HTTP input (and Splunk uses a rather interesting way of doing things) so unfortunately, you’ll have to use another log shipper.

Or write a plugin that can accept that type of input :wink:

1 Like

I assume one could look at how the GELF input works and adjust it accordingly. It also uses HTTP to receive data.

Yeah but different - Splunk either sends you a single message per HTTP request (hello server load), or it will literally send you a batch of JSON objects, but without separators or anything else, so your data looks like this:

{ ... }{ ... }{ ... }{ ... }

Which, when fed to most JSON parsers, gets you an error, or only the first object in the data. You need a JSON parser that handles incremental parsing (e.g. it’ll keep going through the data until everything’s parsed) and then you can get somewhere :slight_smile:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.