We have Universal Forwarder on our windows servers varying in version from 6.2.3 to 7.1.3. Our Splunk Enterprise version is 7.0.1 (upgrading soon).
I was always under the impression that formatting data on a UF was impossible but I have learned today that in some rare circumstances (structured data) that it can be done.
https://docs.splunk.com/Documentation/Splunk/6.1.2/Data/Extractfieldsfromfileheadersatindextime#Forwa
My question is, is there a way to tell with a search which, if any, forwarders are utilizing props or transforms?
↧