Where to perform field extraction in Splunk cluste...

neltonk · ‎07-20-2018

Hi, I am new to Splunk. I have built a splunk cluster (3 indexers, 1 master(also the license master), 1 search head).
I have deployed universal forwarders to all the servers using ansible and I am getting the data that I require. However I am not sure where do I now extract fields - in the indexers or search head?

Please advice...

Thanks,
Nelton

FrankVl · ‎07-20-2018

Field extractions are configured on the Search Head, since they happen at search time.

Unless you have any specific need to perform index time extractions (e.g. to override the host / sourcetype). Those would have to be set on the indexers.

neltonk · ‎07-20-2018

Thanks a lot for your quick response... if I have to override the host field, do I have to do the field extraction on each indexer? Please let me know.

FrankVl · ‎07-20-2018

Best is to create a small app, that contains the relevant props.conf and transforms.conf and push that to all indexers in the cluster from the cluster master.
http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Updatepeerconfigurations

neltonk · ‎07-20-2018

And when done on indexer, will I be using the splunk web to do this or should this be done using props.conf.
Thanks,Nelton

Where to perform field extraction in Splunk cluster

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All

Splunk Security Content for Threat Detection & Response, Q1 Roundup