https://community.splunk.com/t5/Getting-Data-In/Does-the-Universal-Forwarder-support-the-Splunk-header/m-p/49655#M9435 <P>I recently moved to the universal forwarder (4.3.3) where I collect files using the batch input. It's a long story but I have to use the batch input. I use the SPLUNK header to set the host, source and source type. The receiving indexer performs the necessary transformations. I've noticed since I've moved to the new forwarder that the header is no longer being honoured. I changed the HEADER_MODE to always in the default etc/system/local/props.conf, however events arrive without the necessary host, source and sourcetypes. </P> <P>It appears that the batch handling changed in 4.2, and is not handled as part of the indexing pipeline.</P> Mon, 03 Sep 2012 09:51:27 GMT Marinus 2012-09-03T09:51:27Z https://community.splunk.com/t5/Getting-Data-In/Does-the-Universal-Forwarder-support-the-Splunk-header/m-p/49655#M9435 <P>I recently moved to the universal forwarder (4.3.3) where I collect files using the batch input. It's a long story but I have to use the batch input. I use the SPLUNK header to set the host, source and source type. The receiving indexer performs the necessary transformations. I've noticed since I've moved to the new forwarder that the header is no longer being honoured. I changed the HEADER_MODE to always in the default etc/system/local/props.conf, however events arrive without the necessary host, source and sourcetypes. </P> <P>It appears that the batch handling changed in 4.2, and is not handled as part of the indexing pipeline.</P> Mon, 03 Sep 2012 09:51:27 GMT https://community.splunk.com/t5/Getting-Data-In/Does-the-Universal-Forwarder-support-the-Splunk-header/m-p/49655#M9435 Marinus 2012-09-03T09:51:27Z https://community.splunk.com/t5/Getting-Data-In/Does-the-Universal-Forwarder-support-the-Splunk-header/m-p/49656#M9436 <P>What's the sourcetype of your data?</P> <P>Do you have any transforms of the data? What kind of stanza specification are you using on the indexer for these? <CODE>[my_sourcetype]</CODE> or <CODE>[source::/path/to/file]</CODE> or <CODE>[host::host1]</CODE>?</P> <P>What are you setting on the forwarder inputs?</P> Tue, 04 Sep 2012 15:25:08 GMT https://community.splunk.com/t5/Getting-Data-In/Does-the-Universal-Forwarder-support-the-Splunk-header/m-p/49656#M9436 dart 2012-09-04T15:25:08Z https://community.splunk.com/t5/Getting-Data-In/Does-the-Universal-Forwarder-support-the-Splunk-header/m-p/49657#M9437 <P>Thanks for the response Dart. The indexer uses a batch input to collect data.</P> <P>[batch:///data]<BR /> move_policy=sinkhole<BR /> crcSalt=<SOURCE></SOURCE></P> <P>The host, source and sourcetype are set by the splunk header i.e.<BR /> <STRONG><EM>SPLUNK</EM></STRONG> host=acme source=xyz sourcetype=abc</P> <P>The indexer received the events from the forwarder and has props configured to deal with the source types, which in fact rewrite the source and host keys i.e.</P> <P>[abc]<BR /> TRANSFORMS-fix=fix_a, fix_b</P> <P>When I look at the events on the indexer, I can see that raw events including the <STRONG><EM>SPLUNK</EM></STRONG> header, with no keys set.</P> Mon, 28 Sep 2020 12:22:42 GMT https://community.splunk.com/t5/Getting-Data-In/Does-the-Universal-Forwarder-support-the-Splunk-header/m-p/49657#M9437 Marinus 2020-09-28T12:22:42Z https://community.splunk.com/t5/Getting-Data-In/Does-the-Universal-Forwarder-support-the-Splunk-header/m-p/49658#M9438 <P>Hi Marinus,<BR /> I'm not sure if using the <CODE>***SPLUNK***</CODE> style is supported.<BR /> I'd suggest either using the Splunk Forwarder instead of the universal forwarder, or you could set a sourcetype in your batch input, and reference that sourcetype in the TRANSFORMS, which could fix host, source and sourcetype, and also use a SEDCMD to remove the header.</P> <P>I'd say the better solution is to use a full forwarder, if that works for <CODE>***SPLUNK***</CODE> style.</P> <P>dart</P> Tue, 04 Sep 2012 19:36:46 GMT https://community.splunk.com/t5/Getting-Data-In/Does-the-Universal-Forwarder-support-the-Splunk-header/m-p/49658#M9438 dart 2012-09-04T19:36:46Z https://community.splunk.com/t5/Getting-Data-In/Does-the-Universal-Forwarder-support-the-Splunk-header/m-p/49659#M9439 <P>Hi Dart</P> <P>I did a couple of tests and it doesn't appear that HEADER_MODE config affects they way it processes events <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Wed, 05 Sep 2012 12:51:20 GMT https://community.splunk.com/t5/Getting-Data-In/Does-the-Universal-Forwarder-support-the-Splunk-header/m-p/49659#M9439 Marinus 2012-09-05T12:51:20Z https://community.splunk.com/t5/Getting-Data-In/Does-the-Universal-Forwarder-support-the-Splunk-header/m-p/49660#M9440 <P>It appears that the batch handling changed in 4.2, and is not handled as part of the indexing pipeline. Reverted back to an old forwarder.</P> Mon, 22 Oct 2012 08:36:33 GMT https://community.splunk.com/t5/Getting-Data-In/Does-the-Universal-Forwarder-support-the-Splunk-header/m-p/49660#M9440 Marinus 2012-10-22T08:36:33Z