https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-configurations-to-perform-an-index-time-field/m-p/309441#M92818 <P>Hello All</P> <P>My current environment is as follows :</P> <P>Syslog/UF (Universal Forwarder) -&gt; HF (Heavy Forwarder) -&gt; Indexers</P> <P>I am trying to perform an indexed time field extraction so that people can utilize the fields extracted across all Search Heads in our environment.</P> <P>The following are what i have now after lots of trying : </P> <P><STRONG>transforms.conf</STRONG> </P> <PRE><CODE>[ABC] REGEX = ^.*host\s(?1[^ ]+)\sat.+by\s(?2.+) FORMAT = $0:$1:$2:$3:$4:$5:$6 </CODE></PRE> <P><STRONG>props.conf</STRONG></P> <PRE><CODE>[sourcetype::XYZ] TRANSFORMS-ABC = a_B_C </CODE></PRE> <P>I tried pushing this to the indexers to populate the extraction, but it is not working.</P> <P>Also, the regex works in Search Time Extractions when i use it from the Search Head using a |rex "" command.</P> <P>Please help.</P> Fri, 17 Feb 2017 14:06:07 GMT vr2312 2017-02-17T14:06:07Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-configurations-to-perform-an-index-time-field/m-p/309441#M92818 <P>Hello All</P> <P>My current environment is as follows :</P> <P>Syslog/UF (Universal Forwarder) -&gt; HF (Heavy Forwarder) -&gt; Indexers</P> <P>I am trying to perform an indexed time field extraction so that people can utilize the fields extracted across all Search Heads in our environment.</P> <P>The following are what i have now after lots of trying : </P> <P><STRONG>transforms.conf</STRONG> </P> <PRE><CODE>[ABC] REGEX = ^.*host\s(?1[^ ]+)\sat.+by\s(?2.+) FORMAT = $0:$1:$2:$3:$4:$5:$6 </CODE></PRE> <P><STRONG>props.conf</STRONG></P> <PRE><CODE>[sourcetype::XYZ] TRANSFORMS-ABC = a_B_C </CODE></PRE> <P>I tried pushing this to the indexers to populate the extraction, but it is not working.</P> <P>Also, the regex works in Search Time Extractions when i use it from the Search Head using a |rex "" command.</P> <P>Please help.</P> Fri, 17 Feb 2017 14:06:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-configurations-to-perform-an-index-time-field/m-p/309441#M92818 vr2312 2017-02-17T14:06:07Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-configurations-to-perform-an-index-time-field/m-p/309442#M92819 <P>Since you're using a Heavy forwarder in between, the event parsing will happen on the Heavy forwarder and these configurations should get deployed to Heavy forwarder not Indexers. Also, you would need to update fields.conf on the Search Head. For complete details on steps, see this link.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Configureindex-timefieldextraction#Where_to_put_the_configuration_changes_in_a_distributed_environment">http://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Configureindex-timefieldextraction#Where_to_put_the_configuration_changes_in_a_distributed_environment</A></P> Fri, 17 Feb 2017 14:30:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-configurations-to-perform-an-index-time-field/m-p/309442#M92819 somesoni2 2017-02-17T14:30:02Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-configurations-to-perform-an-index-time-field/m-p/309443#M92820 <P>There are few issues with your approach that you need to address to do what you are trying to do:</P> <OL> <LI>The data passing through the HF is already "cooked" when it hits the Indexer. Unless you reroute the data at the Indexer to force it to do the extractions, you have to do Index-time extractions at the HF.</LI> <LI>Your props.conf needs to say <CODE>TRANSFORMS-ABC = ABC</CODE>, where the right side of the equal sign needs to match the stanza in transforms.conf</LI> <LI>Your transforms.conf is incomplete for Index-time extractions. You should have <CODE>FORMAT</CODE> and <CODE>WRITE_META</CODE> fields</LI> <LI>You do not have anything in fields.conf which is required for Index-time extractions.</LI> </OL> <P>Look at this older question as a reference: <A href="https://answers.splunk.com/answers/103668/index-time-fields-with-heavy-forwarder.html">https://answers.splunk.com/answers/103668/index-time-fields-with-heavy-forwarder.html</A></P> Fri, 17 Feb 2017 14:30:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-configurations-to-perform-an-index-time-field/m-p/309443#M92820 rjthibod 2017-02-17T14:30:57Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-configurations-to-perform-an-index-time-field/m-p/309444#M92821 <P>@rjthibod </P> <P>I will push the fields.conf only to Search Heads ?</P> Fri, 17 Feb 2017 15:07:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-configurations-to-perform-an-index-time-field/m-p/309444#M92821 vr2312 2017-02-17T15:07:30Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-configurations-to-perform-an-index-time-field/m-p/309445#M92822 <P>Yes, I believe so.</P> Fri, 17 Feb 2017 15:12:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-configurations-to-perform-an-index-time-field/m-p/309445#M92822 rjthibod 2017-02-17T15:12:34Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-configurations-to-perform-an-index-time-field/m-p/309446#M92823 <P>It worked without the fields.conf being pushed to the Search Heads. </P> <P>the following were pushed to the HF's </P> <P>fields.conf<BR /> transforms.conf<BR /> props.conf</P> Mon, 20 Feb 2017 10:45:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-configurations-to-perform-an-index-time-field/m-p/309446#M92823 vr2312 2017-02-20T10:45:11Z