topic Re: Where to perform field extraction in Splunk cluster in Deployment Architecture

Where to perform field extraction in Splunk cluster

neltonk — Fri, 20 Jul 2018 10:14:11 GMT

Hi, I am new to Splunk. I have built a splunk cluster (3 indexers, 1 master(also the license master), 1 search head).
I have deployed universal forwarders to all the servers using ansible and I am getting the data that I require. However I am not sure where do I now extract fields - in the indexers or search head?

Please advice...

Thanks,
Nelton

Re: Where to perform field extraction in Splunk cluster

FrankVl — Fri, 20 Jul 2018 10:18:42 GMT

Field extractions are configured on the Search Head, since they happen at search time.

Unless you have any specific need to perform index time extractions (e.g. to override the host / sourcetype). Those would have to be set on the indexers.

Re: Where to perform field extraction in Splunk cluster

neltonk — Fri, 20 Jul 2018 10:31:09 GMT

Thanks a lot for your quick response... if I have to override the host field, do I have to do the field extraction on each indexer? Please let me know.

Re: Where to perform field extraction in Splunk cluster

neltonk — Fri, 20 Jul 2018 10:32:39 GMT

And when done on indexer, will I be using the splunk web to do this or should this be done using props.conf.
Thanks,Nelton

Re: Where to perform field extraction in Splunk cluster

FrankVl — Fri, 20 Jul 2018 10:37:25 GMT

Best is to create a small app, that contains the relevant props.conf and transforms.conf and push that to all indexers in the cluster from the cluster master.
http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Updatepeerconfigurations

Re: Where to perform field extraction in Splunk cluster

splunkreal — Fri, 04 Oct 2024 09:14:18 GMT

It's easier to add extractions on SHC so you can modify them if you need. On indexers they will be fixed once indexed.

Re: Where to perform field extraction in Splunk cluster

gcusello — Fri, 04 Oct 2024 10:08:10 GMT

Hi @neltonk ,

field extractions at search time must always be configured on Search Heads (both clustered or not clustered), infact you should install on the SHs all the add-ons that you need.

If you have index time extractions, you must add them on Indexers (using The Cluster Manager) or, if present on Heavy Forwarders.

But usually field extractions are done at search time, so on SHs.

Ciao.

Giuseppe

Re: Where to perform field extraction in Splunk cluster

PickleRick — Fri, 04 Oct 2024 12:59:17 GMT

The usual consultant's answer - "it depends".

The most often used field extraction - the search-time extractions are defined on the search-head tier because... tada! they happen during search time 🙂 (actually their definitions are replicated internally to indexers so that searches can run properly but these are internal intricacies you don't have to concern yourself with at this point ;-)).

But if you want to create so-called "indexed fields" (which isn't often done but the possibility is there), you have to define them in ingest-time which means either on indexers or on any other "heavy" component your events go through first.