Getting Data In

Index time fields ignored in cluster

charltones
Explorer

I have a cluster setup with search head, master, 3 indexers and a forwarder. The index config is pushed from the master (and I can see after splunk apply cluster-bundle) that it successfully turns up on each index node. The problem is that all the index time transforms I have entered are being ignored.

I have the same symptoms as this question (http://answers.splunk.com/answers/93776/push-configuration-files-in-cluster) but my fields are extracted at index time. I successfully applied the same config (or at least I thought it was the same) on a separate cluster and that worked fine. Can anyone point me in the right direction to debug why the transforms are not being applied?

Similar also to this issue: http://answers.splunk.com/answers/118649/index-time-props-and-transforms-not-working

Splunk Enterprise 6.1

0 Karma
1 Solution

charltones
Explorer

I think the answer is that either:

  1. This doesn't work - you can't have index time fields carried out by indexers in a cluster or
  2. It is because I was using a heavy forwarder - i.e. it believed the indexing work had already been done.

I didn't realise I was using a heavy forwarder, but I've fixed my problem by moving the indexing config to the forwarder instead and it is all behaving as expected now

View solution in original post

0 Karma

charltones
Explorer

I think the answer is that either:

  1. This doesn't work - you can't have index time fields carried out by indexers in a cluster or
  2. It is because I was using a heavy forwarder - i.e. it believed the indexing work had already been done.

I didn't realise I was using a heavy forwarder, but I've fixed my problem by moving the indexing config to the forwarder instead and it is all behaving as expected now

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...