R_B fwijnholds_splunk · May 12 at 04:02 PM
Right, I know the UF will send cooked (unparsed) and raw data to multiple indexers and even third party systems too. I was just >>curious if you could send the raw data to one server, say a third party server, and the "cooked" data to the indexers. In addition, I was wondering if you could have the option to send "cooked" data without sending the correlating raw data. I'm not trying to produce this situation in my environment, I'm just trying to understand the nitty-gritty of how the UF is working and the possibilities that are capable with it.
I regret pulling this thread from the bone pile but you are asking my question. I need to send my data to two locations as mentioned. Normal processing will go to the indexer, as I understand it cooked and raw, but I need a copy of the untouched data (raw) sent to a 3rd party system/application.
Did anyone find a way to do this yet? We want to use the TA's provided by Splunk but need the above setup to work.
... View more