Getting Data In

Filter Unparsed Cooked Data


Hello all,

I have tested with cooked, unparsed, encrypted data from a Universal Forwarder and filtering works.

The indexer input is however splunktcp-ssl and it works.

As per docs:

Use this stanza type if you are receiving encrypted, unparsed data from a forwarder or third-party system.
Set to the port on which the forwarder/third-party system is sending unparsed, encrypted data.

This input broke event filtering.

Can I just go ahead and use splunktcp-ssl and assume all is good?

Thank you.

0 Karma


You should use splunktcp type connections for receiving data from Universal Forwarders. tcp-ssl is as is implied in the docs mostly for 3rd party products. There's no need to use it unless you know what you're doing and why.

0 Karma


UF doesn't do parsing so that shouldn't be a problem.


We did use it in the past to do event filtering which wouldn't work for parsed data from a LF.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!