All Apps and Add-ons

Extracting host from events - Multiple Indexers

jakesony
Explorer

I am trying to extract and override the 'host' field value from events. I have it working on one indexer in a three indexer group of peers. I am using UFs which load balance between three indexers (call them Indexer1, Indexer2, and Indexer3).

I have edited props and transforms.conf on Indexer1. When events happen to be forwarded to Indexer1, the value of host in the events is correct (meaning extracted from the event). When an event is forwarded to either Indexer2 or Indexer3 the host is that of the box that the forwarder is on (meaning not extracted from the event).

I'm guessing that I need to edit props and transfomers.conf on Indexer2 and Indexer3, however, I have not needed to edit (or even create) these on these indexers. For example, when I create a new sourcetype, I do it only on Indexer1 but Indexer2 and Indexer3 correctly identify the sourcetype without having to add it to each (perhaps because the forward is dictating the souretype value?).

So, my question is, where and how should I edit the configuration in order for the host field to be correctly extracted from event data for a given source type when using multiple indexers load balanced by the forwarder? If I need to maintain props.conf and transforms.conf on all three indexers, what is the best practice for doing so? Should I simply copy the files from Indexer1 to Indexer2 and Indexer3?

Thanks!

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Best practice for maintaining identical configurations on multiple indexers is to either use configuration bundles distributed by the master in a clustered environment, or to distribute a configuration app through a deployment server in a non-clustered environment.

View solution in original post

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Best practice for maintaining identical configurations on multiple indexers is to either use configuration bundles distributed by the master in a clustered environment, or to distribute a configuration app through a deployment server in a non-clustered environment.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...