Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Where is the proper place to use INDEXED_EXTRACTIONS = JSON -- the indexer or a heavy forwarder?

wrangler2x
Motivator
‎04-15-2016 11:38 AM

https://answers.splunk.com/answers/174939/why-are-my-json-fields-extracted-twice.html shows this props.conf entry on the forwarder:

[json_app]
INDEXED_EXTRACTIONS=json
KV_MODE=none

However, this https://kzhendev.wordpress.com/2015/01/19/consuming-json-with-splunk-in-two-simple-steps/ shows this being done on the indexer, with the forwarder just setting the sourcetype on the inputs.conf file. If I have a heavy forwarder taking in the JSON logs and forwarding them, can I just put this props.conf on the forwarder and be done there? I'd assume if the answer is yes that I need to nothing further on the indexer.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ryandg
Communicator
‎04-15-2016 11:52 AM

You can do this on the heavy forwarder and performance-wise I would recommend doing it on the Heavy Forwarder unless the data is going straight to the indexers (which you said it isn't but just for future reference if that ever happens).

EDIT: Please note that if you are routing your data to multiple groups DO NOT do it on the heavy forwarder tier -- SPL-98594 known issue

View solution in original post

0 Karma
Reply
Solved! Jump to solution

muebel
SplunkTrust
SplunkTrust
‎04-15-2016 11:58 AM

Hi wrangler2x, Yup, thats correct. If you have a heavy-forwarder in between your universal-forwarders and indexers, the HF will "cook" those events, and then indexer just writes them to disk.

Please let me know if this answers your question!

0 Karma
Reply
Solved! Jump to solution

wrangler2x
Motivator
‎04-15-2016 01:07 PM

Thanks for the confirmation. The two of you have answered my question!

0 Karma
Reply
Solved! Jump to solution
Solution

ryandg
Communicator
‎04-15-2016 11:52 AM

You can do this on the heavy forwarder and performance-wise I would recommend doing it on the Heavy Forwarder unless the data is going straight to the indexers (which you said it isn't but just for future reference if that ever happens).

EDIT: Please note that if you are routing your data to multiple groups DO NOT do it on the heavy forwarder tier -- SPL-98594 known issue

0 Karma
Reply
Solved! Jump to solution

wrangler2x
Motivator
‎04-15-2016 01:07 PM

Thanks! That's what I was hoping would be the case.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...