Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Redirecting data through two heavy forwarders, is it possible to reprocess already cooked data with props.conf and transforms.conf?

daniel333
Builder
‎10-20-2016 10:58 AM

All,

I have data flowing through a heavy forwarder. Security wants a SECOND heavy forwarder that they manage to SEDCMD out certain PII. Is it possible to reprocess already cooked data?

0 Karma
Reply

lukejadamec
Super Champion
‎10-20-2016 11:07 AM

No. Once the data is passed the parsing phase it cannot go back. Even worse, you could end up with a situation where the events from a search show the SEDCMD data, but the interesting fields and _raw show the original data.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...