I have a UF that will send the data to another UF. I want to send the data uncooked to the second UF, and only then, to do the INDEXED_EXTRACTIONS of csv.
As Splunk Documentation says, Forwarded data skips the following queues on the indexer, which precludes any parsing of that data on the indexer:
So how can I force the data to go through the parsing queue again in order to make de extractions only on UF2?
Is there a place where I can find the syntax for route=has_key etc... ?
Thanks in advance
Why do you need indexed extractions? You could do search-time field extractions on the indexer (or search head if you are using a search head). This would avoid the whole problem, and is usually better than indexed extractions.
Yes I am aware of the options in search time and index time. I really need to make some comparisons so Could you please tell me how to do that on my own account?
What is the syntax of route has_key? What are all the queues that can be specified there? Is structuredparsing the name of the queue where indexed extractions are done?