I have a Clustered Environment (Cluster Master) with a dedicated Search Head. I am having trouble determining where props.conf and transforms.conf are supposed to be placed.
The goal of the below .conf files is to regex and replace a string located in events for a specific Source Type. This cannot be done at search time (best practice) as it is sensitive information. The index that contains the applicable Source Type uses a Universal Forwarder (not Heavy Forwarder).
My files are below (changed for posting). I believe the content may matter for proper placement:
Transforms.conf:
[mask_string]
Dest_Key = _raw
Regex = regex
Format = replacement
Props.conf:
[source::splunkSourcetype]
Transforms = mask_string
We are actively using the following directories on the Cluster Master to push cluster bundles to the indexes:
- /splunk/etc/master-apps
- /splunk/etc/deployment-apps
New indexes are declared with hot/cold paths and retention in the following conf file:
- /master-apps/all_indexes/local/indexes.conf
And the monitor stanzas with source paths are declared in the following conf file:
- /deployment-apps/app_name/local/inputs.conf
I have heard suggestions in other Answers to place these .conf files in /splunk/etc/master-apps/_cluster/local on the Cluster Master and /splunk/etc/master-apps/_cluster/local on the Search Head, but I have yet to try it.
Please advise. Hopefully I have provided enough background to help solve the issue.
Thank you in advance!
... View more
