Migrate from Google SecOps Forwarder
Praxis includes a forwarder migration flow that turns a Google SecOps Universal Forwarder–style forwarder.conf (and optional _auth.conf) into a draft pipeline you can edit and publish in the Praxis UI.
Use it when you are moving off the Chronicle forwarder for log collection and want a native Praxis pipeline on Linux, Windows, macOS, or Kubernetes.
How it works
- Analyze —
POST /v1/pipelines/forwarder/analyzeparses the uploaded config and returns a preview of the converted topology (sources, processors, destinations, credentials). Nothing is persisted. - Migrate —
POST /v1/pipelines/forwarder/migratecreates a new pipeline, stores the converted graph as the draft configuration, and returns the pipeline UUID so you can open/pipelines/view/<uuid>and continue in the editor.
Both endpoints accept the .conf and optional _auth.conf content as plain strings in the JSON body (the UI reads local files and posts the text).
The Praxis UI exposes this as the “Migrate from Google SecOps Forwarder” wizard (Step 2 → Step 3 uses the analyze response; migrate completes the handoff).
Splunk (kind: splunk) collectors
When the parser encounters a kind: splunk collector block, it emits a Splunk Search API source with continuous polling (default polling_interval: 60 seconds, clamped to a minimum of 30 seconds). Credential and endpoint fields from the forwarder map to splunk_search and Praxis integration records as documented on the Splunk Search API page.
Related documentation
- Splunk Search API source — configuration reference for the generated
splunk_searchreceiver. - Google SecOps data processing pipeline — SecOps processing pipelines in Praxis (separate from collector forwarder export).
- Google SecOps destination — shipping logs from Praxis collectors into SecOps over gRPC / HTTPS.
See also
- Google Cloud: Supported forwarders — official Chronicle / SecOps forwarder documentation