Splunk HEC Destination - Next Processing Queue

Question

I’ve been experimenting with “Next Processing Queue” in the Advanced Settings for a SPlunk HEC Destination, and I can’t seem to tell any difference when I change the value. I’ve used the default value (indexQueue) as well as parsingQueue, but I don’t see any difference once the data gets to Splunk.

What exactly is this setting supposed to do?

dritan · Accepted Answer

When at default (indexQueue), the Splunk receiver - often an indexer - will just index the data. If set to parsingQueue, the receiver may process it even further (e.g., thru transforms.conf and/or props.conf) before indexing. See Splunk docs re data pipeline illustration here.

Quinn Stevenson · Answer

OK - so I thought setting it to parsingQueue would allow me to use existing configurations (in Splunk) for event breaking and timestamp recognition (while were getting all our index-time processing moved to Cribl). However, I dont see any difference when I change this to parsingQueue. I tested by sending some data through logstream that sets the timestamp to current time. Splunk is configured to extract the correct timestamp (which it does not). Also, I have a SEDCMD configured in Splunk, and it runs on the events whether this value is set to parsingQueue or indexQueue.
Am I missing something?

Sign up

Using your Cribl.Cloud account

Login to the community

Using your Cribl.Cloud account

Scanning file for viruses.

This file cannot be downloaded