We have Universal Forwarder on our windows servers varying in version from 6.2.3 to 7.1.3. Our Splunk Enterprise version is 7.0.1 (upgrading soon).
I was always under the impression that formatting data on a UF was impossible but I have learned today that in some rare circumstances (structured data) that it can be done.
My question is, is there a way to tell with a search which, if any, forwarders are utilizing props or transforms?
Check this Wiki page. It contains a diagram of the indexing flow and where each conf file and/or conf attribute is used.
Hope this helps clear some doubts.
Thanks but that doesn't really help. My objective is to determine if there are any formatting changes going on on the universal forwarders in our environment. We are planning upgrades and want to make sure we don't negatively affect anything. So I just need to determine if there are any of our UF's that have custom props or transforms running on them.
you can use btool in CLI to determine what is being applied in your UF.
splunk btool props list --debug
splunk btool transforms list --debug
anything that is not in system/default is somewhat "custom" and you can check the path of the "offender" .conf file
This can be used for all conf files (e.g server, web, etc.)
But these need to be run on the systems where the UF is installed, right? I was hoping there might be a way to tell from the searchhead.
Yes. They need to be executed in the UF machines
Following best pratices you would have most of the UF configs (if not all) managed by a deployment server. Leaving the other UF Config untouched. That way you could easily check what was being deployed just by looking into deployment apps.
as you said the only case where props and transforms are really used in UFs is ingesting structured data (e.g. csv).
But this is an advantage for you because you can manage these files in only one point (Indexers, Search Heads and Heavy Forwarders).
What is the reason
to use these files on UFs?
if you want to use them to filter logs, you can do (only wineventlog) in inputs.conf.
I don't see any additional reason to parse logs on UFs.
In addition, how do you manage UFs?
using Deployment Server you have a full control of your UFs configurations.
If the input is using
INDEXED_EXTRACTIONS then the field creation is happening on the UF, otherwise it is not.