Solved: Does TRANSFORMS applies on Heavy Forwarder or on I...

VatsalJagani · ‎04-24-2019

Let me know the correct scenario for heavy forwarder if I'm using only forwarding and not indexing and forwarding?

Heavy forwarder applies the TRANSFORMS (including nullQueue and other) and it sends the transformed data to indexer.
Heavy forwarder sends the _raw data only to indexer and TRANSFORM will only happens if I'm using IndexAndForward.

In case of the first scenario is correct, will the TRANSFORMS applies on indexer as well?

woodcock · ‎04-24-2019

Any TRANSFORMS- setting applies to the first full instance of splunk who handles the event. So if you are using HFs, it will be the HFs, if not, it will be the Indexers.

View solution in original post

woodcock · ‎04-24-2019

Any TRANSFORMS- setting applies to the first full instance of splunk who handles the event. So if you are using HFs, it will be the HFs, if not, it will be the Indexers.

VatsalJagani · ‎04-24-2019

Thanks @woodcock for the answer that make sense. I've also recently verified this by small POC.

Do all parsing happens on HF of there are some config that specifically handles on indexer?

woodcock · ‎04-25-2019

All index-time things will happen on the HF.

Does TRANSFORMS applies on Heavy Forwarder or on Indexer?

Introducing Edge Processor: Next Gen Data Transformation

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Using Machine Learning for Hunting Security Threats