I have a quick question here. I have a distributed environment with about 5 indexers and then a main search head.
I have a props.conf file on 1 of the indexers and it's being used to extract data into fields. However when searching on the main search head for this data, the fields aren't present. If I search on the indexer itself where the props.conf resides, the fields are present.
Do I have to put the extractions in the props.conf on the search head as well? I would have thought putting it on the indexer was the right thing to do and that this would filter down when searching on the main search head.
Actually nevermind! I put the extractions in the props.conf also on the search head and this resolved the issue. No worries here!
Actually nevermind! I put the extractions in the props.conf also on the search head and this resolved the issue. No worries here!
If you think about it, since Splunk does the field extractions at search time, and the search head has to coordinate and post-process the data coming from all the indexers, the search head must have all search-time knowledge objects.