Deployment Architecture

Push configuration files in cluster

shangshin
Builder

Hi,
I have a splunk cluster and have config file props.conf and transforms.conf under master node $SPLUNK_HOME/etc/master-apps/_cluster/local/

I apply the change to its peers using CLI command apply cluster-bundle and I can see the new sourcetype is available on its peers. However, the fields in transforms.conf are not effective.

To veryify this transforms.conf is valid, I manually copy both config files to each peer /etc/system/local/ and it's working as expected.

Can any one shed some light on why transforms.conf is not working when pushed from the master node?

Thanks in advance!

Tags (1)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

Search-time fields should not be on indexers, only on the search head. Are your fields search-time extractions?

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Search-time fields should not be on indexers, only on the search head. Are your fields search-time extractions?

gkanapathy
Splunk Employee
Splunk Employee

you should not need to put search-time extractions in the indexers into the indexer configuration. they are ignored. just put them on the search head. splunk will take care of it.

shangshin
Builder

Agree. If I place the transforms.conf in the search head, then I can see these fields from the search head. So if I want to see these fields on indexer, the only way is to place both config under /etc/system/local/ and it must be bundled with props.conf; otherwise, the fields won't be displayed on the UI. Is that correct?

0 Karma

shangshin
Builder

Yes, I removed props.conf and transforms.conf from /etc/system/local/ but transforms.conf under /etc/slave-apps/_cluster/local/ still doesn't take any effect....

0 Karma

ssankeneni
Communicator

trying removing the files from /etc/system/local and push the files only from the master node. It might have conflict with the files in /etc/system/local

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...