Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

INDEXED_EXTRACTIONS after data passed through a Universal Forwarde

TiagoTLD1
Communicator
‎02-15-2017 11:50 AM

Hello

I have a UF that will send the data to another UF. I want to send the data uncooked to the second UF, and only then, to do the INDEXED_EXTRACTIONS of csv.

As Splunk Documentation says, Forwarded data skips the following queues on the indexer, which precludes any parsing of that data on the indexer:

  • parsing
  • aggregation
  • typing

So how can I force the data to go through the parsing queue again in order to make de extractions only on UF2?

Is there a place where I can find the syntax for route=has_key etc... ?

Thanks in advance

0 Karma
Reply

TiagoTLD1
Communicator
‎02-15-2017 11:11 PM

Yes I am aware of the options in search time and index time. I really need to make some comparisons so Could you please tell me how to do that on my own account?

What is the syntax of route has_key? What are all the queues that can be specified there? Is structuredparsing the name of the queue where indexed extractions are done?

Thanks

0 Karma
Reply

lguinn2
Legend
‎02-15-2017 09:21 PM

Why do you need indexed extractions? You could do search-time field extractions on the indexer (or search head if you are using a search head). This would avoid the whole problem, and is usually better than indexed extractions.

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...