topic Re: Index time SEDCMD not applying when indexer is split from search head in Splunk Search

Index time SEDCMD not applying when indexer is split from search head

dbryan — Wed, 18 Jul 2012 03:58:14 GMT

I have a configuration working perfectly in development in an environment with a single Splunk instance.

This is the relevant part of props.conf, which we've put on the indexer so that the index-time transformation will be performed:

[host::DoubleClick]
SEDCMD-01_DoubleClickDelimSpacer = y/þ/, /
[mysourcetype1]
CHARSET = ISO-8859-1
[mysourcetype2]
CHARSET = ISO-8859-1

The SEDCMD is not working at all - the data is not being transformed. As I said, if I do this in an environment where the search head and the indexer are one and the same, and all my search-time field extractions are in the same props.conf as the above, everything works.

The CHARSET must be set correctly for Splunk to read the file correctly; I tried specifying it in the host stanza with the SEDCMD and it didn't help.

The production environment is running 4.3.0, while the dev environment is running 4.3.2.

Anyone got any tips?

Re: Index time SEDCMD not applying when indexer is split from search head

dbryan — Wed, 18 Jul 2012 07:16:23 GMT

Cracked it - looks like the character encoding had to be set on the forwarder, rather than on the indexer. I created a props.conf on the forwarder and set it in there and everything worked. Strange that the encoding handling is done on the forwarder when it's not doing any indexing.

Re: Index time SEDCMD not applying when indexer is split from search head

willthames2 — Thu, 19 Jul 2012 01:43:54 GMT

As with http://splunk-base.splunk.com/answers/11680/sedcmd-not-executing, if there is a heavy forwarder processing the data before the indexer, the SEDCMD and other parsing happens there.

See http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings for more details