I have a custom source type and field extractions which work perfectly well when indexed locally on the Splunk Enterprise server (indexer + search head). However, when the same type of input is forwarded from a UF, the extractions don't work.
On the Splunk Enterprise server (Splunk 6.1.3 (build 220630) on RH 6.5), /apps/splunk/splunk/etc/system/local/props.conf has this stanza:
[test_pipe_2]
FIELD_DELIMITER = |
FIELD_NAMES = time,c1,c2
HEADER_FIELD_DELIMITER = |
INDEXED_EXTRACTIONS = psv
KV_MODE = none
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
pulldown_type = 1
On the UF (Splunk Universal Forwarder 6.1.3 (build 220630) on RH 6.4), /opt/splunkforwarder/etc/system/local/inputs.conf has this stanza:
[monitor:///tmp/testme]
disabled = false
index = myindex
sourcetype = test_pipe_2
When I put files in /tmp/testme that look like below, I get events in searching for index=myindex and they do have sourcetype test_pipe_2, but the fields c1 and c2 are not extracted.
However, when I put similar text in a file on the Enterprise server (indexer+search head) and index it with sourcetype test_pipe_2, it has the fields.
Sample input:
Wed Sep 10 10:14:01 CDT 2014|apple|pear
Note that I have also tried placing the same stanza in /opt/splunkforwarder/etc/apps/search/local/inputs.conf on the UF, same result.
What am I doing wrong?
Another experiment: when I purposely misspell the sourcetype on the UF inputs.conf, to a non-existent sourcetype, it still gets indexed and just shows up in searches as that sourcetype. I'm not sure what that implies but it seems interesting.
... View more