Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cooked Connection

JarrettM
Path Finder
‎05-01-2018 07:04 AM

A Google search indicates that that using the term "cooked" in realation to a network connection is exclusive to Splunk. What exactly is meant by "cooked connection" or "cooked ssl?"

Thanks!

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

xpac
SplunkTrust
SplunkTrust
‎05-01-2018 07:13 AM

The term cooked is sadly used pretty inconsistently with Splunk.

With regard to network connections, a cooked connection (as mentioned in some Splunk logs) is a S2S (Splunk to Splunk) connection, based on a proprietary protocol.

However, in outputs.conf and elsewhere, cooked data refers to data that has already been parsed by a full Splunk instance, like a heavy forwarder.
In that case, cooked means parsed, and you should note that such data that arrives on another full Splunk instance is not parsed again, i.e. it's not going to be subject to props.conf index time procedures again.

Data that is being sent from a. Universal Forwarder is not cooked - but it's using a cooked connection to send it.

Hope that you're know properly confused. 😉

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-01-2018 07:21 AM

Cooked connection denotes communications between two Splunk nodes as opposed to Raw connections which refer to non-Splunk nodes passing their data to Splunk.

0 Karma
Reply
Solved! Jump to solution

JarrettM
Path Finder
‎05-01-2018 09:27 AM

Thanks for your answer. I would accept it but xpac beat you too it by an hour.

Thanks again!

0 Karma
Reply
Solved! Jump to solution
Solution

xpac
SplunkTrust
SplunkTrust
‎05-01-2018 07:13 AM

The term cooked is sadly used pretty inconsistently with Splunk.

With regard to network connections, a cooked connection (as mentioned in some Splunk logs) is a S2S (Splunk to Splunk) connection, based on a proprietary protocol.

However, in outputs.conf and elsewhere, cooked data refers to data that has already been parsed by a full Splunk instance, like a heavy forwarder.
In that case, cooked means parsed, and you should note that such data that arrives on another full Splunk instance is not parsed again, i.e. it's not going to be subject to props.conf index time procedures again.

Data that is being sent from a. Universal Forwarder is not cooked - but it's using a cooked connection to send it.

Hope that you're know properly confused. 😉

Reply
Solved! Jump to solution

JarrettM
Path Finder
‎05-01-2018 09:26 AM

Thanks, that is actually quite clear. It just seems strange to me that Splunk would use a non-standard term like that and not really explain it anywhere (at least that I can find)

Thanks again!

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...