document updated 9 days ago, on Feb 11, 2025

metrics.log

group=tcpout_connections

If I'm trying to confirm that data is actually being sent to the indexer, these are the lines to pay attention to.

The difference between __tcp__KBps and kb is that 'kb' is the raw number of bytes transmitted to the indexer since the last log line was output, regardless of how many seconds long that interval was. '__tcp__KBps' is 'kb' divided by the amount of time since the last log line was output.

When you look at it, it seems like there's some data that gets repeated. Upon closer inspection, you notice subtle details:

'Uncooked' data is the raw unparsed text from the logfiles, sent directly from the Splunk Forwarder to the Indexer(s).

'Cooked' data means that it's been parsed by the Forwarder, and it's sent over the network to the Indexer(s) in already-parsed form.