Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Props.conf and transforms.conf on a distributed and clustered environment

matthew_pabon
New Member
‎03-07-2014 08:59 AM

Greetings,

This is my first question so I will try to make it as clear as possible

I have an environment with one search head, 2 indexers, 3 forwarders and a master node

The search head has as peers the two indexes and at the same time acts as a deployment server sending apps to the forwarders and to the master node, which then will send to the indexes via the master-apps.

The forwarders are heavy ones, listening to an Udp port for syslogs that then will be forwarded to the indexers. In he beginning all these syslogs were being sent to the main index, but an app was implemented which now makes event based routing. All these routing is made of course through the props.conf and transforms.conf. Now I pushed this app through the deployment server to the master node, then update the cluster bundle to send it to the indexes, make sure the indexers have these apps, an eventually restarting both indexers and the search head which also have this app. After all that the event routing is not made and all the events are still going to the main index

I used btool and made sure all the conf files were in fact in all the components

Is there something else I need to do after updating my app to make the event routing effective on my deployment?
Is there any more deep way to debug what is really happening at parsing and index time?

Thanks a lot for the help in advance!

Tags (2)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-07-2014 09:08 AM

If you're using heavy forwarders, parsing and routing is usually done on those rather than on the indexers.

Reply

matthew_pabon
New Member
‎03-07-2014 10:04 AM

Yeah I know, but I don't want to do parsing and routing on the heavy forwarders at the moment, just want to focus on the indexers

0 Karma
Reply

vr2312
Contributor
‎12-28-2016 06:05 AM

As per Splunk's best practices, it is always advisable to have the parsing/routing done at the HF level as doing that in Indexer level will cause more resource usage and might result in unavailability due to heavy load.

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎12-30-2016 12:20 PM

Wow, blast from the past from 2014. First of all, it is not possible to tell heavy forwarders NOT to parse events. If you don't want parsing, don't use a heavy - use a universal forwarder instead. Second of all, in 2016 the use of heavy forwarders as a parsing / routing layer is definitely NOT best practice. It can be made to work, but special care must be taken in the design to make sure that adding heavy forwarders does not create a situation where things are worse. The best practice today is to let indexers handle parsing and routing directly, and only resort to using heavies for this role in specific deployment scenarios.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...