Splunk Forwarding

[Compr0mzd]

Hey, There Is no possibility to fowards the event using --remote to a splunk specific index. Is there any way to do that with the --remote option ?

Thanks in advance

[wagga40]

Hi, since Zircolite use Splunk HEC to forward events, I’ve considered that the index is declared when you create the HEC token (doc here).

I think I can code something to provide the index directly from Zircolite but it has not been implemented for the reason explained above.

[Compr0mzd]

Hi, since Zircolite use Splunk HEC to forward events, I’ve considered that the index is declared when you create the HEC token (doc here).

I think I can code something to provide the index directly from Zircolite but it has not been implemented for the reason explained above.

Hi yes the index is declared but what if we want to parse data on multiple index automatically ?

[wagga40]

Could you clarify ? Do you mean you want to send all the data to multiple indexes ?

[Compr0mzd]

Could you clarify ? Do you mean you want to send all the data to multiple indexes ?

To be clear with you. We use a python script that is filtering forensic case and executing zircolite from the script. The script is filling up the arguments for zircolite depending on the case. Each case on splunk have an index so we want to send different case data on different index on splunk automatically. I tried to modify the source code and tried to POC it for now. But i would love to have an answer from you about this.

[wagga40]

Working on it.

[Compr0mzd]

Working on it.

I tried to modify the zircolite source code and i just added to the fowarding URL ?index={self.index} and by using the --index it worked but I don't know if it's really the intended behavior you would want

[wagga40]

To be honest, I wasn't planning on doing much more complicated. One thing I was thinking was to add the ability to create the HEC token automatically.

[wagga40]

Done (I hope) in #62

[Compr0mzd]

Done (I hope) in #62

Really nice thanks