A customer has a Universal Forwarder (UF) with an inputs.conf monitoring its splunkd.log. The data is sent through a heavy forwarder to an indexer.
Where does the Index time parsing occur?
A customer has a Universal Forwarder (UF) with an inputs.conf monitoring its splunkd.log. The data is sent through a heavy forwarder to an indexer.
Where does the Index time parsing occur?
The index time parsing in a Splunk environment occurs on the Indexer. While a Heavy Forwarder (HF) can perform some parsing before sending the data to the Indexer, the final indexing and associated parsing are performed on the Indexer itself. This ensures that the data is processed and stored correctly for search and retrieval purposes.
Heavy forwarder, does parsing before idx
D, in the HF
D, in the HF
D is the correct one. Parsing takes place on the first full Splunk instance.
A, in the IDX