Is it possible to forward cooked parsed data (containing all fields) in json format to some external TCP end-point (using Heavy Forwarder)?
I found that it is possible to send cooked data, but I couldn't find specs for this format, is it possible to use this kind of data in external TCP end-points or it is Splunk internal format, which shouldn't be used outside of Splunk? According to docs in case of Heavy Forwarder these cooked data should be parsed. I am wondering what rules are used in process of parsing events by Heavy Forwarder? How does it know what fields should it look for in raw data?
... View more