I’ve been experimenting with “Next Processing Queue” in the Advanced Settings for a SPlunk HEC Destination, and I can’t seem to tell any difference when I change the value. I’ve used the default value (indexQueue) as well as parsingQueue, but I don’t see any difference once the data gets to Splunk.
What exactly is this setting supposed to do?
When at default (
indexQueue), the Splunk receiver - often an indexer - will just index the data. If set to
parsingQueue, the receiver may process it even further (e.g., thru transforms.conf and/or props.conf) before indexing. See Splunk docs re data pipeline illustration here.
OK - so I thought setting it to parsingQueue would allow me to use existing configurations (in Splunk) for event breaking and timestamp recognition (while we’re getting all our index-time processing moved to Cribl). However, I don’t see any difference when I change this to parsingQueue. I tested by sending some data through logstream that sets the timestamp to current time. Splunk is configured to extract the correct timestamp (which it does not). Also, I have a SEDCMD configured in Splunk, and it runs on the events whether this value is set to parsingQueue or indexQueue.
Am I missing something?