Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Forwarding logs to a third party system using a universal forwarder with sendCookedData = false, can we see the set sourcetype at the receiving end?

immortalraghava
Path Finder
‎05-31-2016 08:46 PM

Hi All,

We are sending logs to a third party system.
And in the inputs.conf monitor stanza, we have set:

sendCookedData = false
sourcetype = errorlogs
index = logs_index

sendCookedData = false because we are forwarding logs to a third party system.. (Mentioned in doc)

Also, we have set the sourcetype and specified an index..

Can we read the sourcetype set for the data at the receiving end?
For now we are able to see only the plain loglines.

Appreciate any help!
Thanks

Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎06-01-2016 03:35 AM

No. cooked data would include the sourcetype and destination index so if you disable sending cooked data you won't get those details.

View solution in original post

Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎06-01-2016 03:35 AM

No. cooked data would include the sourcetype and destination index so if you disable sending cooked data you won't get those details.

Reply
Solved! Jump to solution

immortalraghava
Path Finder
‎06-01-2016 10:48 PM

Hey thanks for your answer. But cooked data looks like its encoded on the receiving side. Is there a way to decode / retrieve sourcetype from cooked data in a third party receiver ?

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎06-02-2016 03:50 AM

Nope, as it is mentioned Splunk cooked data is proprietary.

Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎06-02-2016 12:47 AM

Cooked data is a Splunk proprietary format, for Splunk to Splunk communication.

If you are sending to a 3rd party, I dont understand why you need an index our sourcetype, these are Specific to Splunk. What are you trying to integrate the feed with? Have you checked this:

http://docs.splunk.com/Documentation/Splunk/6.4.1/Forwarding/Forwarddatatothird-partysystemsd

Reply
Get Updates on the Splunk Community!

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...

Unlock Instant Security Insights from Amazon S3 with Splunk Cloud — Try Federated ...

Availability: Must be on Splunk Cloud Platform version 10.1.2507.x to view the free trial banner. If you are ...