Re: Is it possible to enable useACK without sendin...

acidkewpie · ‎04-20-2015

Hi,

Is it possible to enable useACK without sending cooked data?

If we have two independent splunk worlds, and I'm forwarding data from one to another, it seems illogical to send cooked data when the source types and indexes don't match up. But I need the assurance that useAck (allegedly) provides.

dwaddle · ‎04-20-2015

If you aren't doing Splunk-to-Splunk protocol (that is, you are using a raw TCP socket), then useACK is not possible. The useACK feature is a part of the Splunk-to-Splunk forwarding protocol. In outputs.conf, the sendCookedData option seems to be setting whether the output is a raw socket or a splunk-to-splunk socket. So, I would say, "no, you cannot use useACK and send uncooked data"

bosburn_splunk · ‎04-20-2015

Can you clarify what your use case is?

All cooked data means is that it's data that's been sent from one Splunk instance to another - i.e. from a forwarder to an indexer, or an indexer to another indexer.

You can't useACK for items such as UDP input, tcp inputs, etc. since the originating machine wouldn't understand the acknowledgement.

Does that make sense?

Brian

acidkewpie · ‎04-20-2015

It does, but I've looked at the data on a useAck enabled connection and I don't see any actual data coming back, just an empty ACK from the indexer. If there's no actual protocol level conversation, I don't see what useACK is really doing, and if it's only on the ACK packet, what the reason for it not working with raw data would be.

Is it possible to enable useACK without sending cooked data?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases