Splunkers, I am facing this issue of cooked data, I know there are many answers about it and this has been a real pain for many. I have gone through them and none of it is working. Below are my configurations , if anyone of you can point out where the error is
Forwarder - outputs.conf
[tcpout]
defaultGroup = dmc
indexAndForward = false
disabled = false
#sendCookedData=false when i uncomment it I don't get any data at all , not even the cooked one
forwardedindex.2.whitelist = test_index
[tcpout:dmc]
server = xx.xx.xx.xx:9997
autoLB = true
-------------------------------------------------------------------------------------------
Indexer - inputs.conf
[splunktcp://9996]
connection_host = ip
[splunktcp://9997] disabled = 0
[tcp://8097]
connection_host = dns
index = test_index
sourcetype = generic_single_line
on indexer I am receiving "--splunk-cooked-mode-v3-- " junk data. Also if anyone can then please explain a bit about cooked mode.
↧