So I know that during the input phase, a universal forwarder will take the raw data, add some metadata tags to it, and send it over to the indexer as "cooked" data, which is really just event data. I know that an indexer stores both event data and raw data. However, how does the universal forwarder get the raw data over to the indexer — as in, does the UF send one stream of "cooked" data and one stream of raw data to the indexer?
Also, are both raw and cooked data sent by default to the indexers and are either of those configurable, in terms of not sending or send the data, or even sending the cooked data to one source and the raw data to a different source?
Any help would be appreciated!
↧