- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Best Practice for Adding a Transforms on Indexers
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Best Practice for Adding a Transforms on Indexers
Hey Splunk world,
After learning that the nullQueue option for eliminating unneeded data is required to be installed on an indexer as a props/transforms combo vs. placing it on a UF.
I had one more question regarding this as I come into this roadblock quite a few times in our Splunk Cloud environment. Since we are on Splunk Cloud v 7.2, we run into rolling restarts on sourcetype additions and app installs. The way the folks in the admin realm have done things in the past is to add a props/transforms on a custom app, install it on the SH + Indexers and then allow those settings to globally apply across the environment on the specific sourcetype.
Is there a different way of implementing the below props/transforms combo into our environment without causing the rolling restart via app install? I usually add extractions via the GUI and this allows me to not cause a rollin restart, but with the format required for this data manipulation, I'm not sure if I'm able to use the GUI. Mainly wanting to save time and not wait until our Saturday maintenance window to make a change. Splunk Cloud does not allow access to the server CLI per SH or indexer.
PROPS
[linux_audit]
TRANSFORMS-null= setnull
TRANSFORMS
[setnull]
REGEX = type=CWD | key=\"delete\"
DEST_KEY = queue
FORMAT = nullQueue
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am a new Cloud customer myself, running Cloud version 2006. You have articulated a major problem I also have with Splunk Cloud. On-prem, the vast majority of config administration I performed did not require a rolling restart. Now in Splunk Cloud, just about everything I need to do incurs a rolling restart. This significantly extends the implementation timeline of every project, activity or fix. It is a major inconvenience and makes me question our decision to move to Cloud in the first place. Based on my initial experience, I am asking myself whether the administrative limitations enforced in Cloud were worth the trade. In the end I think handing off the search/index/storage infrastructure management will be worth it, but the transition from on-prem to Splunk Cloud is a nightmare. What a mess.
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
