Hi, I am new to Splunk. I have built a splunk cluster (3 indexers, 1 master(also the license master), 1 search head).
I have deployed universal forwarders to all the servers using ansible and I am getting the data that I require. However I am not sure where do I now extract fields - in the indexers or search head?
Please advice...
Thanks,
Nelton
Field extractions are configured on the Search Head, since they happen at search time.
Unless you have any specific need to perform index time extractions (e.g. to override the host / sourcetype). Those would have to be set on the indexers.
Thanks a lot for your quick response... if I have to override the host field, do I have to do the field extraction on each indexer? Please let me know.
Best is to create a small app, that contains the relevant props.conf and transforms.conf and push that to all indexers in the cluster from the cluster master.
http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Updatepeerconfigurations
And when done on indexer, will I be using the splunk web to do this or should this be done using props.conf.
Thanks,Nelton