Right, and that would be why it bypasses the regular parsing queues and goes to the indexer. The diagram says something to the effect of (Even though the name is "Parsing, the pipeline in UF are not for event parsing.) I take that to mean that even though it has to piggyback on the parsingqueue pipeline, it is not being truly acted upon by any of the parsing queues. Notice in that same diagram, that INDEXED_EXTRACTIONS are absent from the Indexer's queuing actions, that would indicate that it is simply moving through those queues untouched and un-acted upon effectively bypassing them.
So what I would do...
Setup your inputs.conf to watch your tcp input and send it to a sourcetype that you specify.
inputs.conf
[default]
host = EX
[tcp://<remote server>:<port>]
disabled = false
sourcetype = EX-1
queue = parsingQueue
index = EX-index
Then on the HF...
Setup props.conf:
[EX-1]
TRANSFORMS-sourcetyping_testlog = test_log
Setup transforms.conf:
[test_log]
DEST_KEY = MetaData:Sourcetype
REGEX = (askfjklsadf)
FORMAT = (akjfdklsajf)
Something like that... hopefully that is enough to give you a gist of what I'm trying to say.
... View more
