Hi Michael,
You are right that universal forwarders cannot extract or transform the data you want to forward. If you just want to process raw data to meet your specific requirement and forward the tailored data to a destination without indexing it, you just need to install a heavy forwarder - no indexer needed.
To deploy a heavy forwarder, you install the full Splunk instance as an indexer, but configure it to use the forwarder license:
In Splunk Web, select Settings > Licensing from the menu.
Click Change license group and choose Forwarder license.
Click Save.
To transform your raw data - e.g., rewrite "date:ipaddress" as events, define and use the transforming processor. Here is an example:
props.conf
[source::...\my.log]
TRANSFORMS-dateip = dateip
transforms.conf
REGEX = .*(\d{1,2}\/\d{1,2}\/\d{4}).*(?:[0-9]{1,3}\.){3}[0-9]{1,3})
DEST_KEY = _raw
FORMAT = $1:$2
The transforming processor captures dates ($1) and IP addresses ($2) from the original raw data and rewrites the _raw data using the captured data in the format you want.
Hope this helps. Thanks!
Hunter
... View more