Refine your search:

Trying to find a solution to my problem:

I've checked my metris.log file and I think I've found the problem, all my universal forwarders are connecting sending cooked data:

03-28-2011 16:53:54.609 -0400 INFO  Metrics - group=tcpin_connections,, connectionType=cooked, sourcePort=3244,,, destPort=9995, _tcp_Bps=53.03, _tcp_KBps=0.05, _tcp_avg_thruput=0.01, kb=1.61, _tcp_Kprocessed=13.00, _tcp_eps=0.10, build=96430, version=4.2, os=Windows, arch=Intel, hostname=SERVERNAME, guid=933005E8-DBF9-4567-827A-E1D13E264568, fwdType=uf, ssl=false,, ack=false

Isn't a universal forwarder suposed to send unparsed data? If my indexer sees cooked data it won't apply any transforms to it. What can I do about this?

asked 28 Mar '11, 21:03

arapozo's gravatar image

accept rate: 0%

edited 28 Mar '11, 22:03

dwaddle's gravatar image

dwaddle ♦

One Answer:

The universal forwarder does send unparsed data. In this context, "cooked" merely means that blocks of data have been tagged with default fields, such as source, sourcetype and host. Both parsed and unparsed data are considered "cooked":

"Raw" data is totally unprocessed -- no tagging at all.


answered 28 Mar '11, 21:49

Steve%20G.'s gravatar image

Steve G. ♦
accept rate: 25%

Thank you, wasn't aware of that fact.

(28 Mar '11, 22:20) arapozo
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions



Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 28 Mar '11, 21:03

Seen: 2,693 times

Last updated: 28 Mar '11, 22:03

Copyright © 2005-2014 Splunk Inc. All rights reserved.