Hello all,
I have tested with cooked, unparsed, encrypted data from a Universal Forwarder and filtering works.
The indexer input is however splunktcp-ssl and it works.
As per docs:
[tcp-ssl:
Use this stanza type if you are receiving encrypted, unparsed data from a forwarder or third-party system.
Set
This input broke event filtering.
Can I just go ahead and use splunktcp-ssl and assume all is good?
Thank you.
You should use splunktcp type connections for receiving data from Universal Forwarders. tcp-ssl is as is implied in the docs mostly for 3rd party products. There's no need to use it unless you know what you're doing and why.
UF doesn't do parsing so that shouldn't be a problem.
We did use it in the past to do event filtering which wouldn't work for parsed data from a LF.