- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- props/transforms combination not working since swi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
props/transforms combination not working since switching from indexing locally forwarding
props.conf:
[pbs:status]
TRANSFORMS-pbs_set_host = pbs_set_host
BREAK_ONLY_BEFORE = (^name1|^name2|^name3|^name4|^name5|^name6|^name7|^name8|^name9)
NO_BINARY_CHECK = 1
pulldown_type = 1
transforms.conf:
[pbs_set_host]
DEST_KEY = MetaData:Host
REGEX = /^(.*)$/m
FORMAT = host::$1
The data originates from a script running on a search head. While indexing at a search head, it would successfully reset the hostname according to the regex. I've since started having the search head forward that data to indexers and copied the props and transforms to the indexers, and issues a /debug/refresh and also tried a | extract reload=T, but the transform is no longer applying and the host name is remaining the host running the script. how can I configure this for the regex to work properly again in a forwarded scenario?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The search head is a full instance of Splunk so it will perform parsing, and therefore your settings for transforming the events should still go on the search head even if you're forwarding them to the indexers. Once data arrives at the indexers it will already have been "cooked" by the search head, so the indexers won't do anything with it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will try kicking the search head in an hour or so to see if it makes a difference. 🙂 Thanks fore the help! If that works I'll make sure to still give you credit
!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you restart the Splunk instances or just issue a /debug/refresh + extract reload=t? The latter ones don't apply to any index-time configurations so in order for any of this kind of settings to take effect you need to restart. It's a long shot, but still... 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The thing is I never removed or remarked out the props/transforms on the search head either. Essentially once I setup an outputs.conf to autoLB across indexers, all stopped working even though I copied both stanza's over to all indexers in the LB group
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
