- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Forwarder configuration
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a log file on a windows forwarder for which - I want to segregate the fields contained in that log file -- on the forwarder -- before they are pickedup by the indexer.
The configuration at : C:\Program Files\SplunkUniversalForwarder\etc\system\local\ is like this:
>>inputs.conf:
[monitor ://D\Folder]
disabled=0
whitelist=Organization\.csv*
index=main
sourcetype=alpha
This works UP TILL THIS POINT - as in - searching for sourcetype=alpha gives us properly indexed content of Organization.log
The next and the more painful step is to correctly configure the props.conf and transforms.conf [neither of which exist under C:\Program Files\SplunkUniversalForwarder\etc\system\local\ - SO I HAD TO ADD THEM]
>> props.conf:
[alpha]
REPORT-alpha = alpha-fields
>> transforms.conf:
[alpha-fields]
DELIMS=","
FIELDS="field1-alpha", "field2-alpha"
This does not work.
Any ideas ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"REPORT" is a search time extraction , so your props.conf and transforms.conf should live on your Splunk Search Head , not the Universal Forwarder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"REPORT" is a search time extraction , so your props.conf and transforms.conf should live on your Splunk Search Head , not the Universal Forwarder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
These are again the changes we made and their locations:
On the FORWARDER (Windows Machine) - inputs.conf - changed at :
\etc\system\local\
--
On the INDEXER (Search Head) - we added the following to props.conf at C:\Program Files\Splunk\etc\system\local\
C:\Program Files\SplunkUniversalForwarder\etc\system\local\
[alpha]
CHECK_FOR_HEADER=true
KV_MODE=none
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false
--
On the INDEXER (Search Head) - we added a second props.conf and transforms.conf (from my initial post) at
C:\Program Files\Splunk\etc\apps\search\local\
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks damien !
That did not seem to work out for us 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For the particular configuration you have described in your original post :
inputs.conf -> Universal Forwarder
props.conf & transforms.conf -> Splunk Search Head
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does it matter that the configuration to capture this sourcetype is done on the forwarder side ?
We changed the inputs.conf on the forwarder side
Shouldnt the props.conf and transforms.conf also live on the forwarder side ?
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
