Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Adding Index-time field on intermediate forwarder

greich
Communicator
‎07-15-2015 07:43 AM

I need to trace the data from the originating forwarder through intermediate forwarders or directly onto indexers. I am trying to add a field when the data goes through the intermediate forwarder.

Configuration

Data collection by Heavy Forwarders

inputs.conf
[default]
host = shorthostname (of the HF)

sending all to Intermediate Forwarders

inputs.conf
[default]
host = shorthostname (IF)
router = shorthostname (IF)

props.conf
[default]
TRANSFORMS-router = addrouter

transforms.conf
[addrouter]
SOURCE_KEY = router
REGEX = (.*)
FORMAT = router::$1
WRITE_META = true

[accepted_keys]
DCIF_NAME = router

And finally on the search head
fields.conf
[router]
INDEXED = true

It seems that:
1- everything that is sourced directly on the IF (syslog and splunk logs) has the field "router"
2- everything incoming on TCP from HF does not have the field "router"

What I am missing to mark incoming cooked data?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jacobwilkins
Communicator
‎07-15-2015 07:56 AM

This is expected behavior. You are going to have to re-parse your cooked data:

See here:
http://answers.splunk.com/answers/97918/reparsing-cooked-data-coming-from-a-heavy-forwarder-possible...

On your IF (which probably needs to be a HWF), do this in inputs.conf:

[splunktcp]
route=has_key:_utf8:parsingQueue;has_key:_linebreaker:parsingQueue;absent_key:_utf8:parsingQueue;absent_key:_linebreaker:parsingQueue

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jacobwilkins
Communicator
‎07-15-2015 07:56 AM

This is expected behavior. You are going to have to re-parse your cooked data:

See here:
http://answers.splunk.com/answers/97918/reparsing-cooked-data-coming-from-a-heavy-forwarder-possible...

On your IF (which probably needs to be a HWF), do this in inputs.conf:

[splunktcp]
route=has_key:_utf8:parsingQueue;has_key:_linebreaker:parsingQueue;absent_key:_utf8:parsingQueue;absent_key:_linebreaker:parsingQueue

0 Karma
Reply
Solved! Jump to solution

greich
Communicator
‎07-15-2015 08:53 AM

Yes IF are HF. On the first instance, your solution seems to work perfectly. Will let soak, and confirm later. Thank you.

0 Karma
Reply
Solved! Jump to solution

greich
Communicator
‎07-16-2015 01:15 AM

that did it, with no noticeable impact on CPU on the IF (was expecting some). Thanks again

0 Karma
Reply
Solved! Jump to solution

greich
Communicator
‎07-15-2015 07:55 AM

I must mention that a start message:
Checking conf files for problems...
Invalid key in stanza [default] in /opt/splunk/etc/system/local/inputs.conf, line 3: router (value: blahhost)

0 Karma
Reply
Solved! Jump to solution

greich
Communicator
‎02-17-2016 01:55 AM

adding the key to the .conf.spec should resolve this

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...