Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Forwarder / Indexer Transforms.

Splunker
Communicator
‎07-22-2011 10:11 AM

Hi guys,

I have some universal-forwarders forwarding to an indexer (4.2.2) and all works great, i set the sourcetype at the forwarders inputs.conf and that works fine.

The forwarder is monitoring local files on the system.

I want Splunk to extract the fields for data from the forwarder and i can get it working fine via props.conf/transforms.conf when the file is locally monitored on the indexer but not when it comes into the indexer from a forwarder (sourcetype gets set ok, even gets routed to my custom index from the forwarders inputs.conf).

I've tried props.conf/transforms.conf on the forwarder and indexer, but i cant see my fields being extracted..

Have browsed the docs and questions archives and tried a few things, but still cant get it to work..

Thanks!

Chris.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎07-22-2011 10:46 AM

Well, the first thing to note here is that you can't use transforms/props except in places where data gets parsed, which in most cases is going to be the indexer. The UF doesn't do any parsing, so it won't work to do these changes there. That being said, what kind of field extractions are these? Search time or index time field extractions? If index time, it is very likely you don't need to do this, search time field extractions are appropriate in the vast majority of use cases. If you try to use rex in the search language, can you get field extractions working? If so, I would recommend using the EXTRACT command in props.conf along with the regex your using in rex, or you can try using IFX to do this as well.

Sorry I don't have a specific answer for you, but I don't know what is actually in your props.conf or how your trying to do the field extractions, so I can't offer anything aside from generic advise.

View solution in original post

Reply
Solved! Jump to solution

Splunker
Communicator
‎08-16-2011 05:33 PM

Thanks jbsplunk,

I should have realized the transforms happen on the indexer rather than the forwarder (didnt have the order of operations within the pipeline clear in my head).

After some research into the area, i realize what i did wrong, and have it working now, thanks! 🙂

Cheers.

0 Karma
Reply
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎07-22-2011 10:46 AM

Well, the first thing to note here is that you can't use transforms/props except in places where data gets parsed, which in most cases is going to be the indexer. The UF doesn't do any parsing, so it won't work to do these changes there. That being said, what kind of field extractions are these? Search time or index time field extractions? If index time, it is very likely you don't need to do this, search time field extractions are appropriate in the vast majority of use cases. If you try to use rex in the search language, can you get field extractions working? If so, I would recommend using the EXTRACT command in props.conf along with the regex your using in rex, or you can try using IFX to do this as well.

Sorry I don't have a specific answer for you, but I don't know what is actually in your props.conf or how your trying to do the field extractions, so I can't offer anything aside from generic advise.

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...