topic Re: Forwarder configuration in Getting Data In

Forwarder configuration

asarolkar — Thu, 17 May 2012 03:15:25 GMT

I have a log file on a windows forwarder for which - I want to segregate the fields contained in that log file -- on the forwarder -- before they are pickedup by the indexer.

The configuration at : C:\Program Files\SplunkUniversalForwarder\etc\system\local\ is like this:

>>inputs.conf:
[monitor ://D\Folder]
disabled=0
whitelist=Organization\.csv*
index=main
sourcetype=alpha

This works UP TILL THIS POINT - as in - searching for sourcetype=alpha gives us properly indexed content of Organization.log

The next and the more painful step is to correctly configure the props.conf and transforms.conf [neither of which exist under C:\Program Files\SplunkUniversalForwarder\etc\system\local\ - SO I HAD TO ADD THEM]

>> props.conf:
[alpha]
REPORT-alpha = alpha-fields

>> transforms.conf:
[alpha-fields]
DELIMS=","
FIELDS="field1-alpha", "field2-alpha"

This does not work.

Any ideas ?

Re: Forwarder configuration

Damien_Dallimor — Thu, 17 May 2012 04:36:06 GMT

"REPORT" is a search time extraction , so your props.conf and transforms.conf should live on your Splunk Search Head , not the Universal Forwarder.

Re: Forwarder configuration

asarolkar — Thu, 17 May 2012 04:37:01 GMT

Does it matter that the configuration to capture this sourcetype is done on the forwarder side ?

We changed the inputs.conf on the forwarder side

Shouldnt the props.conf and transforms.conf also live on the forwarder side ?

Re: Forwarder configuration

Damien_Dallimor — Thu, 17 May 2012 04:45:34 GMT

For the particular configuration you have described in your original post :

inputs.conf -> Universal Forwarder
props.conf & transforms.conf -> Splunk Search Head

Re: Forwarder configuration

asarolkar — Thu, 17 May 2012 05:23:59 GMT

Thanks damien !

That did not seem to work out for us 😞

Re: Forwarder configuration

asarolkar — Mon, 28 Sep 2020 11:50:11 GMT

These are again the changes we made and their locations:

On the FORWARDER (Windows Machine) - inputs.conf - changed at :

\etc\system\local\

On the INDEXER (Search Head) - we added the following to props.conf at C:\Program Files\Splunk\etc\system\local\

C:\Program Files\SplunkUniversalForwarder\etc\system\local\
[alpha]
CHECK_FOR_HEADER=true
KV_MODE=none
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false

On the INDEXER (Search Head) - we added a second props.conf and transforms.conf (from my initial post) at

C:\Program Files\Splunk\etc\apps\search\local\