You could win up to $50,000 building Splunk apps in the Splunk>Apptitude contest. Learn more »
I have a splunk cluster and have config file props.conf and transforms.conf under master node $SPLUNK_HOME/etc/master-apps/_cluster/local/
I apply the change to its peers using CLI command apply cluster-bundle and I can see the new sourcetype is available on its peers. However, the fields in transforms.conf are not effective.
To veryify this transforms.conf is valid, I manually copy both config files to each peer /etc/system/local/ and it's working as expected.
Can any one shed some light on why transforms.conf is not working when pushed from the master node?
Thanks in advance!
Splunk Forwarder on Windows 2008 R2 0 Answers