Splunk Search

where to do a field extraction

a212830
Champion

Hi,

I want to extract, and report on (also, put in a summary index), some standard fields from access logs. I have a standard multi-tier setup (uf, indexer, and search-head). I have the props.conf and transforms.conf, but my question is where should they go? Indexer, or search-head?

Tags (1)
0 Karma

a212830
Champion

Thanks. So, I took what was in the ../etc/system/default/props.conf and transforms.conf (the access-extractions) and put them on the indexer (props.conf) and the search-head and bounced the search-head, but nothing is appearing. Any suggestions? I created a seperate app for them.

0 Karma

lguinn2
Legend

There is a great article on the Splunk wiki: Where do I configure my Splunk settings?
It should help.

But FWIW, field extraction and summary indexing happen at search time, so the search head is the place that these settings belong. However, if your props.conf and transforms.conf also contain some settings that affect parsing, you might need to make a copy of the files on both the search head and the indexers.

0 Karma

okrabbe_splunk
Splunk Employee
Splunk Employee

You almost never want them. The short answer is because how splunk indexes are designed there is very little advantage and often a cost to indexing additional fields.

The longer answer is that there are a few exceptions where it is worth doing but it is for specific scenarios such as when a value of the field occurs also often in other parts of the search result. This link describes a couple of situations where you would want them.
http://docs.splunk.com/Documentation/Splunk/5.0.3/Data/Configureindex-timefieldextraction

0 Karma

a212830
Champion

Thanks. I'm still trying to wrap my mind around when i want a index-time field extraction, and when I don't. Can you explain why I don't want one in this situation?

0 Karma

okrabbe_splunk
Splunk Employee
Splunk Employee

lguin makes a great point about the active app. I make that mistake all the time but luckily you can find the extractions in the gui in manager and change the permissions there very easily.

0 Karma

lguinn2
Legend

For search-time field extractions, you shouldn't need to bounce the search head, just run a new search.

Now I wonder if you have inadvertently created index-time field extractions (which you don't want.) Can you update the question with the relevant snippets of your props.conf and transforms.conf files?

Also, be aware that your field extractions will only be active in the app where they were created unless you make them global... And you should NOT be copying from etc/system/default; in general that is not a good idea.

0 Karma

a212830
Champion

Thanks. So, I took what was in the ../etc/system/default/props.conf and transforms.conf (the access-extractions) and put them on the indexer (props.conf) and the search-head and bounced the search-head, but nothing is appearing. Any suggestions? I created a seperate app for them.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...