<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Index time fields with heavy forwarder in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Index-time-fields-with-heavy-forwarder/m-p/73436#M15050</link>
    <description>&lt;P&gt;Its all about your input data path.&lt;/P&gt;

&lt;P&gt;If all your the data is coming from the heavy and then going to the indexer will mean the data is cooked when it hits the indexer. Cooked data is to the immune to then those particular props and transform write_meta field stanza's and will have no effect on the incoming data for those particular sources. You can force the data back through the parsing queues ( more info here : &lt;A href="http://answers.splunk.com/answers/97918/reparsing-cooked-data-coming-from-a-heavy-forwarder-possible" target="_blank"&gt;http://answers.splunk.com/answers/97918/reparsing-cooked-data-coming-from-a-heavy-forwarder-possible&lt;/A&gt; ) to make it perform those write_meta commands but this has its own issues.&lt;/P&gt;

&lt;P&gt;In a nutshell, where ever your data is actually being parsed is where those props and transforms need to live. That being said, having those props and transforms on the indexer won't hurt and may catch sources that directly talk to your indexers (ie. other UF's). This can make management of your configuration harder as you will have several places you need to update config on or check when something doesn't work quite right.&lt;/P&gt;

&lt;P&gt;Also in regards to indexed fields you need to be careful as they can cause rapid bucket rolls (I just recently implemented some index time field extractions to improve performance) which will can also have a negative search performance hit for anything accessing the destination indexes ( &lt;A href="http://answers.splunk.com/answers/102682/safe-custom-setting-for-maxmetaentries-in-indexesconf" target="_blank"&gt;http://answers.splunk.com/answers/102682/safe-custom-setting-for-maxmetaentries-in-indexesconf&lt;/A&gt; ).&lt;/P&gt;</description>
    <pubDate>Mon, 28 Sep 2020 14:50:42 GMT</pubDate>
    <dc:creator>Lucas_K</dc:creator>
    <dc:date>2020-09-28T14:50:42Z</dc:date>
    <item>
      <title>Index time fields with heavy forwarder</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Index-time-fields-with-heavy-forwarder/m-p/73435#M15049</link>
      <description>&lt;P&gt;Hello,&lt;/P&gt;

&lt;P&gt;I have a similar question to&lt;BR /&gt;
&lt;A href="http://answers.splunk.com/answers/10275/how-to-add-an-indexed-field-in-a-distributed-setup"&gt;This question&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;I also know indexed fields are generally a nono but we are going to use one anyway &lt;span class="lia-unicode-emoji" title=":slightly_smiling_face:"&gt;🙂&lt;/span&gt;&lt;BR /&gt;
I am in a distributed environment with a search head pool AND a heavy forwarder handling certain props and transforms &lt;/P&gt;

&lt;P&gt;Would the props.conf, transforms.conf, and fields.conf changes all be made on all of the indexers since the field is created at index time or would it possibly need to be made on the heavy forwarder since it handles additional parsing?&lt;/P&gt;

&lt;P&gt;here's what i have&lt;BR /&gt;
Thanks&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;props.conf
[logger_cef]
TRANSFORMS-flexString2 = flexString2_indx

transforms.conf
[flexString2_indx]
REGEX = flexString2=(?&amp;lt;flex2&amp;gt;[^ ]+)
FORMAT = flexstring2::"$1"
WRITE_META = true

fields.conf
[flexstring2]
INDEXED=true
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Thu, 26 Sep 2013 00:03:30 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Index-time-fields-with-heavy-forwarder/m-p/73435#M15049</guid>
      <dc:creator>sonicZ</dc:creator>
      <dc:date>2013-09-26T00:03:30Z</dc:date>
    </item>
    <item>
      <title>Re: Index time fields with heavy forwarder</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Index-time-fields-with-heavy-forwarder/m-p/73436#M15050</link>
      <description>&lt;P&gt;Its all about your input data path.&lt;/P&gt;

&lt;P&gt;If all your the data is coming from the heavy and then going to the indexer will mean the data is cooked when it hits the indexer. Cooked data is to the immune to then those particular props and transform write_meta field stanza's and will have no effect on the incoming data for those particular sources. You can force the data back through the parsing queues ( more info here : &lt;A href="http://answers.splunk.com/answers/97918/reparsing-cooked-data-coming-from-a-heavy-forwarder-possible" target="_blank"&gt;http://answers.splunk.com/answers/97918/reparsing-cooked-data-coming-from-a-heavy-forwarder-possible&lt;/A&gt; ) to make it perform those write_meta commands but this has its own issues.&lt;/P&gt;

&lt;P&gt;In a nutshell, where ever your data is actually being parsed is where those props and transforms need to live. That being said, having those props and transforms on the indexer won't hurt and may catch sources that directly talk to your indexers (ie. other UF's). This can make management of your configuration harder as you will have several places you need to update config on or check when something doesn't work quite right.&lt;/P&gt;

&lt;P&gt;Also in regards to indexed fields you need to be careful as they can cause rapid bucket rolls (I just recently implemented some index time field extractions to improve performance) which will can also have a negative search performance hit for anything accessing the destination indexes ( &lt;A href="http://answers.splunk.com/answers/102682/safe-custom-setting-for-maxmetaentries-in-indexesconf" target="_blank"&gt;http://answers.splunk.com/answers/102682/safe-custom-setting-for-maxmetaentries-in-indexesconf&lt;/A&gt; ).&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 14:50:42 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Index-time-fields-with-heavy-forwarder/m-p/73436#M15050</guid>
      <dc:creator>Lucas_K</dc:creator>
      <dc:date>2020-09-28T14:50:42Z</dc:date>
    </item>
  </channel>
</rss>

