sendCookedData=false when i uncomment it I don't get any data at all , not even the cooked one

kunalmao · ‎10-15-2017

Splunkers, I am facing this issue of cooked data, I know there are many answers about it and this has been a real pain for many. I have gone through them and none of it is working. Below are my configurations , if anyone of you can point out where the error is

Forwarder - outputs.conf

[tcpout]
defaultGroup = dmc
indexAndForward = false
disabled = false

sendCookedData=false when i uncomment it I don't get any data at all , not even the cooked one

forwardedindex.2.whitelist = test_index

[tcpout:dmc]
server = xx.xx.xx.xx:9997
autoLB = true

Indexer - inputs.conf

[splunktcp://9996]
connection_host = ip

[splunktcp://9997] disabled = 0

[tcp://8097]
connection_host = dns
index = test_index
sourcetype = generic_single_line

on indexer I am receiving "--splunk-cooked-mode-v3-- " junk data. Also if anyone can then please explain a bit about cooked mode.

kunalmao · ‎10-16-2017

directed to port 9996 in outputs.conf and created index=test_index on indexer and it solved the issue for me.

View solution in original post

kunalmao · ‎10-16-2017

directed to port 9996 in outputs.conf and created index=test_index on indexer and it solved the issue for me.

"--splunk-cooked-mode-v3-- " in the indexer

sendCookedData=false when i uncomment it I don't get any data at all , not even the cooked one

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?