Refine your search:

Hi, I have a splunk cluster and have config file props.conf and transforms.conf under master node $SPLUNK_HOME/etc/master-apps/_cluster/local/

I apply the change to its peers using CLI command apply cluster-bundle and I can see the new sourcetype is available on its peers. However, the fields in transforms.conf are not effective.

To veryify this transforms.conf is valid, I manually copy both config files to each peer /etc/system/local/ and it's working as expected.

Can any one shed some light on why transforms.conf is not working when pushed from the master node?

Thanks in advance!

asked 03 Jul '13, 07:40

shangshin's gravatar image

shangshin
5395617
accept rate: 0%

trying removing the files from /etc/system/local and push the files only from the master node. It might have conflict with the files in /etc/system/local

(03 Jul '13, 09:43) ssankeneni

Yes, I removed props.conf and transforms.conf from /etc/system/local/ but transforms.conf under /etc/slave-apps/_cluster/local/ still doesn't take any effect....

(03 Jul '13, 09:49) shangshin

One Answer:

Search-time fields should not be on indexers, only on the search head. Are your fields search-time extractions?

link

answered 03 Jul '13, 12:32

gkanapathy's gravatar image

gkanapathy ♦
36.8k81228
accept rate: 41%

Agree. If I place the transforms.conf in the search head, then I can see these fields from the search head. So if I want to see these fields on indexer, the only way is to place both config under /etc/system/local/ and it must be bundled with props.conf; otherwise, the fields won't be displayed on the UI. Is that correct?

(03 Jul '13, 12:40) shangshin
1

you should not need to put search-time extractions in the indexers into the indexer configuration. they are ignored. just put them on the search head. splunk will take care of it.

(03 Jul '13, 14:41) gkanapathy ♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×157

Asked: 03 Jul '13, 07:40

Seen: 415 times

Last updated: 03 Jul '13, 14:41

Copyright © 2005-2014 Splunk Inc. All rights reserved.