Getting Data In

Index time fields ignored in cluster

charltones
Explorer

I have a cluster setup with search head, master, 3 indexers and a forwarder. The index config is pushed from the master (and I can see after splunk apply cluster-bundle) that it successfully turns up on each index node. The problem is that all the index time transforms I have entered are being ignored.

I have the same symptoms as this question (http://answers.splunk.com/answers/93776/push-configuration-files-in-cluster) but my fields are extracted at index time. I successfully applied the same config (or at least I thought it was the same) on a separate cluster and that worked fine. Can anyone point me in the right direction to debug why the transforms are not being applied?

Similar also to this issue: http://answers.splunk.com/answers/118649/index-time-props-and-transforms-not-working

Splunk Enterprise 6.1

0 Karma
1 Solution

charltones
Explorer

I think the answer is that either:

  1. This doesn't work - you can't have index time fields carried out by indexers in a cluster or
  2. It is because I was using a heavy forwarder - i.e. it believed the indexing work had already been done.

I didn't realise I was using a heavy forwarder, but I've fixed my problem by moving the indexing config to the forwarder instead and it is all behaving as expected now

View solution in original post

0 Karma

charltones
Explorer

I think the answer is that either:

  1. This doesn't work - you can't have index time fields carried out by indexers in a cluster or
  2. It is because I was using a heavy forwarder - i.e. it believed the indexing work had already been done.

I didn't realise I was using a heavy forwarder, but I've fixed my problem by moving the indexing config to the forwarder instead and it is all behaving as expected now

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...