We have updated our Terms of Service, Code of Conduct, and Addendum.

Splunk HEC Destination - Next Processing Queue

I’ve been experimenting with “Next Processing Queue” in the Advanced Settings for a SPlunk HEC Destination, and I can’t seem to tell any difference when I change the value. I’ve used the default value (indexQueue) as well as parsingQueue, but I don’t see any difference once the data gets to Splunk.

What exactly is this setting supposed to do?

Best Answer

  • dritan
    dritan Posts: 51 mod
    Answer ✓

    When at default (indexQueue), the Splunk receiver - often an indexer - will just index the data. If set to parsingQueue, the receiver may process it even further (e.g., thru transforms.conf and/or props.conf) before indexing. See Splunk docs re data pipeline illustration here.

Answers

  • dritan
    dritan Posts: 51 mod
    Answer ✓

    When at default (indexQueue), the Splunk receiver - often an indexer - will just index the data. If set to parsingQueue, the receiver may process it even further (e.g., thru transforms.conf and/or props.conf) before indexing. See Splunk docs re data pipeline illustration here.

  • Quinn Stevenson
    Quinn Stevenson Posts: 16

    OK - so I thought setting it to parsingQueue would allow me to use existing configurations (in Splunk) for event breaking and timestamp recognition (while were getting all our index-time processing moved to Cribl). However, I dont see any difference when I change this to parsingQueue. I tested by sending some data through logstream that sets the timestamp to current time. Splunk is configured to extract the correct timestamp (which it does not). Also, I have a SEDCMD configured in Splunk, and it runs on the events whether this value is set to parsingQueue or indexQueue.
    Am I missing something?