Splunk Search

props/transforms combination not working since switching from indexing locally forwarding

mjones414
Contributor

props.conf:
[pbs:status]
TRANSFORMS-pbs_set_host = pbs_set_host
BREAK_ONLY_BEFORE = (^name1|^name2|^name3|^name4|^name5|^name6|^name7|^name8|^name9)
NO_BINARY_CHECK = 1
pulldown_type = 1

transforms.conf:
[pbs_set_host]
DEST_KEY = MetaData:Host
REGEX = /^(.*)$/m
FORMAT = host::$1

The data originates from a script running on a search head. While indexing at a search head, it would successfully reset the hostname according to the regex. I've since started having the search head forward that data to indexers and copied the props and transforms to the indexers, and issues a /debug/refresh and also tried a | extract reload=T, but the transform is no longer applying and the host name is remaining the host running the script. how can I configure this for the regex to work properly again in a forwarded scenario?

0 Karma

Ayn
Legend

The search head is a full instance of Splunk so it will perform parsing, and therefore your settings for transforming the events should still go on the search head even if you're forwarding them to the indexers. Once data arrives at the indexers it will already have been "cooked" by the search head, so the indexers won't do anything with it.

mjones414
Contributor

I will try kicking the search head in an hour or so to see if it makes a difference. 🙂 Thanks fore the help! If that works I'll make sure to still give you credit
!

0 Karma

Ayn
Legend

Did you restart the Splunk instances or just issue a /debug/refresh + extract reload=t? The latter ones don't apply to any index-time configurations so in order for any of this kind of settings to take effect you need to restart. It's a long shot, but still... 😉

0 Karma

mjones414
Contributor

The thing is I never removed or remarked out the props/transforms on the search head either. Essentially once I setup an outputs.conf to autoLB across indexers, all stopped working even though I copied both stanza's over to all indexers in the LB group

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...