Is it possible to have a heavy forwarder send unparsed (not raw) cooked data?
I have a server which needs to forward data, and a universal forwarder sending compressed, unparsed data would be fine.
However, I would like to use that same server to do some data collection as well.
This data collection requires a full Splunk install and a 3rd party app (estreamer to be specific).
However, as I understanding it using a full Splunk install as a heavy forwarder will, by default send parsed data.
This is a much heavier network load, which I would like to avoid.
The only option in outputs.conf related to this is: sendCookedData = true | false.
If I set this to false, then it will be sending raw (uncooked data to the forwarder).
If I set this to true, then it appears the heavy forwarder will send all data as cooked, parsed data.
I'm looking for an option to send cooked, unparsed data.
Thanks for any help!
... View more