Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Best Practice for Adding a Transforms on Indexers

dfurtaw
Path Finder
‎08-04-2020 10:18 AM

Hey Splunk world,

 

After learning that the nullQueue option for eliminating unneeded data is required to be installed on an indexer as a props/transforms combo vs. placing it on a UF.

 

I had one more question regarding this as I come into this roadblock quite a few times in our Splunk Cloud environment. Since we are on Splunk Cloud v 7.2, we run into rolling restarts on sourcetype additions and app installs. The way the folks in the admin realm have done things in the past is to add a props/transforms on a custom app, install it on the SH + Indexers and then allow those settings to globally apply across the environment on the specific sourcetype.

 

Is there a different way of implementing the below props/transforms combo into our environment without causing the rolling restart via app install? I usually add extractions via the GUI and this allows me to not cause a rollin restart, but with the format required for this data manipulation, I'm not sure if I'm able to use the GUI. Mainly wanting to save time and not wait until our Saturday maintenance window to make a change. Splunk Cloud does not allow access to the server CLI per SH or indexer.

PROPS

[linux_audit]
TRANSFORMS-null= setnull

TRANSFORMS

[setnull]
REGEX = type=CWD | key=\"delete\"
DEST_KEY = queue
FORMAT = nullQueue

Thank you!

Labels (3)
Reply

_smp_
Builder
‎08-27-2020 08:33 AM

I am a new Cloud customer myself, running Cloud version 2006. You have articulated a major problem I also have with Splunk Cloud. On-prem, the vast majority of config administration I performed did not require a rolling restart. Now in Splunk Cloud, just about everything I need to do incurs a rolling restart. This significantly extends the implementation timeline of every project, activity or fix. It is a major inconvenience and makes me question our decision to move to Cloud in the first place. Based on my initial experience, I am asking myself whether the administrative limitations enforced in Cloud were worth the trade. In the end I think handing off the search/index/storage infrastructure management will be worth it, but the transition from on-prem to Splunk Cloud is a nightmare. What a mess.

Tags (1)
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...