Deployment Architecture

Where to perform field extraction in Splunk cluster

neltonk
Path Finder

Hi, I am new to Splunk. I have built a splunk cluster (3 indexers, 1 master(also the license master), 1 search head).
I have deployed universal forwarders to all the servers using ansible and I am getting the data that I require. However I am not sure where do I now extract fields - in the indexers or search head?

Please advice...

Thanks,
Nelton

FrankVl
Ultra Champion

Field extractions are configured on the Search Head, since they happen at search time.

Unless you have any specific need to perform index time extractions (e.g. to override the host / sourcetype). Those would have to be set on the indexers.

neltonk
Path Finder

Thanks a lot for your quick response... if I have to override the host field, do I have to do the field extraction on each indexer? Please let me know.

0 Karma

FrankVl
Ultra Champion

Best is to create a small app, that contains the relevant props.conf and transforms.conf and push that to all indexers in the cluster from the cluster master.
http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Updatepeerconfigurations

0 Karma

neltonk
Path Finder

And when done on indexer, will I be using the splunk web to do this or should this be done using props.conf.
Thanks,Nelton

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...