Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Forwarding logs to a third party system using a universal forwarder with sendCookedData = false, can we see the set sourcetype at the receiving end?

immortalraghava
Path Finder
‎05-31-2016 08:46 PM

Hi All,

We are sending logs to a third party system.
And in the inputs.conf monitor stanza, we have set:

sendCookedData = false
sourcetype = errorlogs
index = logs_index

sendCookedData = false because we are forwarding logs to a third party system.. (Mentioned in doc)

Also, we have set the sourcetype and specified an index..

Can we read the sourcetype set for the data at the receiving end?
For now we are able to see only the plain loglines.

Appreciate any help!
Thanks

Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎06-01-2016 03:35 AM

No. cooked data would include the sourcetype and destination index so if you disable sending cooked data you won't get those details.

View solution in original post

Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎06-01-2016 03:35 AM

No. cooked data would include the sourcetype and destination index so if you disable sending cooked data you won't get those details.

Reply
Solved! Jump to solution

immortalraghava
Path Finder
‎06-01-2016 10:48 PM

Hey thanks for your answer. But cooked data looks like its encoded on the receiving side. Is there a way to decode / retrieve sourcetype from cooked data in a third party receiver ?

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎06-02-2016 03:50 AM

Nope, as it is mentioned Splunk cooked data is proprietary.

Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎06-02-2016 12:47 AM

Cooked data is a Splunk proprietary format, for Splunk to Splunk communication.

If you are sending to a 3rd party, I dont understand why you need an index our sourcetype, these are Specific to Splunk. What are you trying to integrate the feed with? Have you checked this:

http://docs.splunk.com/Documentation/Splunk/6.4.1/Forwarding/Forwarddatatothird-partysystemsd

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...