Getting Data In

Filter Unparsed Cooked Data

Communicator

Hello all,

I have tested with cooked, unparsed, encrypted data from a Universal Forwarder and filtering works.

The indexer input is however splunktcp-ssl and it works.

As per docs:

[tcp-ssl:]
Use this stanza type if you are receiving encrypted, unparsed data from a forwarder or third-party system.
Set to the port on which the forwarder/third-party system is sending unparsed, encrypted data.

This input broke event filtering.

Can I just go ahead and use splunktcp-ssl and assume all is good?

Thank you.

0 Karma

Legend

You should use splunktcp type connections for receiving data from Universal Forwarders. tcp-ssl is as is implied in the docs mostly for 3rd party products. There's no need to use it unless you know what you're doing and why.

0 Karma

Legend

UF doesn't do parsing so that shouldn't be a problem.

Communicator

We did use it in the past to do event filtering which wouldn't work for parsed data from a LF.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!