Getting Data In

Order of operations? SEDCMD vs TRANSFORMS

Super Champion

In the indexing process, which happens first the SEDCMD-* entries or TRANSFORMS-* entries?

Tags (1)
1 Solution

Splunk Employee
Splunk Employee

SEDCMD-* is executed before TRANSFORMS-*.

View solution in original post

Splunk Employee
Splunk Employee

SEDCMD-* is executed before TRANSFORMS-*.

View solution in original post

Builder

Thank you. I just discovered this myself while testing. I couldn't understand why some events were not being indexed. Is this documented anywhere? I couldn't find anything.

0 Karma