why is the data from splunk forwarder --splunk-cooked-mkode-v3-- then about 103 x00 then the computername fillowed by 241 x00 then 8089 followed by 12 more x00?
I have tried to find something on the web that made sense to me to discover what the problem is. I used Wireshark on the Windows 7 machine to trap the data. The data looks the same on my Ubuntu 12.10 Splunk standalone indexer.
Sounds like you've setup a TCP input (in the "Inputs" section in splunkweb) instead of a receiving port (In "Forwarding and receiving"). TCP inputs are read by Splunk as-is, while receiving ports are used for receiving data in the proprietary format that's used for forwarded data from one Splunk instance to another. Make sure you're sending forwarded data to a receiving port.
OK. What you are seeing is Splunk's own proprietary format for sending data. There's various metadata added apart from the actual raw event. This is not a problem, that's just how it's sent on the wire.
If the data that is in the network layer is going to be in the output layer. Also I replaced the universal forwarder with a full Splunk version setup for forwarding and it does the same thing, just sends the computer name and lots of x00s.
I don't know what else I can say to make you understand this. Data is sent in a proprietary format that will be more than just any log data sent. This is not a problem, this is just the way the data is sent.