Hi, I have a splunk cluster and have config file props.conf and transforms.conf under master node $SPLUNK_HOME/etc/master-apps/_cluster/local/
I apply the change to its peers using CLI command apply cluster-bundle and I can see the new sourcetype is available on its peers. However, the fields in transforms.conf are not effective.
To veryify this transforms.conf is valid, I manually copy both config files to each peer /etc/system/local/ and it's working as expected.
Can any one shed some light on why transforms.conf is not working when pushed from the master node?
Thanks in advance!
asked 03 Jul '13, 07:40
Search-time fields should not be on indexers, only on the search head. Are your fields search-time extractions?
answered 03 Jul '13, 12:32