Hi, I am a data in UF and I am sending it to HF and then IDX. I am trying to route the data in another index using props.conf and transforms.conf in HF but it is not getting routed.
But, When I Connect UF with IDX directly and do the routing in props and transforms in IDX , it works.
But, When I Connect UF with HF and HF is sending data to IDX and created props.conf and transforms.conf in IDX itself to route the data, again it is not getting routed.
What is the reason behind if data goes through HF to IDX ( Even though I write the routing stuff in IDX), data is not getting routed?
I have read all the docs, but not convinced with the theory. Kindly provide me the technical explanation.
Hi @abhayneilam
This thread is in dead old, but did you ever solve your issue?
Here a really usefull page explaning how indexing works: https://wiki.splunk.com/Community:HowIndexingWorks
I'm trying to perform the same as you. If you did solve it in the meantime, any hints on how you did it would be highly appreciated.
typingQueue is where the "props.conf" and "transforms.conf" are being polled. As your data is already cooked on UF this should be skipped on the HF. Or how Splunk would call it "intermediate forwarder" - https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Configureanintermediateforwarder
At least that's the way I have understood it
Mate, Settings has to be amended on Heavy Forwarder not on Indexer.
If your data flow is UF->HF->IDX and your HF is a full Splunk Enterprise instance, then these routing configurations should be set on HF. Again, ensure that you're deploying the same configuration that worked from IDX and restarting HF after making the change.
but it does not work if I do routing the events through HF
Something must be wrong with either configuration that you put in OR some other configuration might be conflicting it in HF. Try to run btool on HF (after applying to your props.conf/transforms.conf changes) to see if you see the configuration you deployed.