Solved: Index time fields ignored in cluster

charltones · ‎06-06-2014

I have a cluster setup with search head, master, 3 indexers and a forwarder. The index config is pushed from the master (and I can see after splunk apply cluster-bundle) that it successfully turns up on each index node. The problem is that all the index time transforms I have entered are being ignored.

I have the same symptoms as this question (http://answers.splunk.com/answers/93776/push-configuration-files-in-cluster) but my fields are extracted at index time. I successfully applied the same config (or at least I thought it was the same) on a separate cluster and that worked fine. Can anyone point me in the right direction to debug why the transforms are not being applied?

Similar also to this issue: http://answers.splunk.com/answers/118649/index-time-props-and-transforms-not-working

Splunk Enterprise 6.1

charltones · ‎06-10-2014

I think the answer is that either:

This doesn't work - you can't have index time fields carried out by indexers in a cluster or
It is because I was using a heavy forwarder - i.e. it believed the indexing work had already been done.

I didn't realise I was using a heavy forwarder, but I've fixed my problem by moving the indexing config to the forwarder instead and it is all behaving as expected now

View solution in original post

charltones · ‎06-10-2014

I think the answer is that either:

This doesn't work - you can't have index time fields carried out by indexers in a cluster or
It is because I was using a heavy forwarder - i.e. it believed the indexing work had already been done.

I didn't realise I was using a heavy forwarder, but I've fixed my problem by moving the indexing config to the forwarder instead and it is all behaving as expected now

Index time fields ignored in cluster

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!