Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Location of props.conf and transforms.conf in a distributed setup

michaelnorup
Communicator
‎12-08-2022 01:58 AM

Hi Guys.
I have a distributed setup consisting of 1 search head, 1 deployment/license server, 1 indexer.
And a whole bunch of universal forwarders.

I am trying to filter out some of the data coming in with transforms.conf:

 

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = "name":"System availability"
DEST_KEY = queue
FORMAT = indexQueue

 

 


and a props.conf

 

[Zabbix-history]
SHOULD_LINEMERGE = falde
MAX_TIMESTAMP_LOOKAHEAD = 300
detect_trailing_nulls = auto
TIME_PREFIX = \"clock\":
KV_MODE = json
AUTO_KV_JSON = true
TRANSFORMS-set = setnull,setparsing

 

 


A log example that i would like to index, matching the regex in transforms.conf

 

{"host":{"host":"xxxxx","name":"xxxx"},"groups":["xxxx Prod","xxxx","Windows servers"],"item_tags":[{"tag":"SAP Basis","value":""},{"tag":"System availability","value":""},{"tag":"SID1","value":""},{"tag":"Product","value":"Web Server"},{"tag":"SID","value":"WSP"}],"itemid":900162,"name":"System availability","clock":1670486400,"count":13,"min":1,"avg":1,"max":1,"type":3}

 

 

 

Currently the props.conf and transforms.conf are on the indexer in the designated app.

Its currently filtering out all the logs with the sourcetype Zabbix-history, and not indexing the "name":"System Availability"

Does the props/transforms also need to be on the searchhead, or pushed to the universalforwarder with the deployment server?

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-08-2022 02:37 AM

Hi @michaelnorup,

filtering action is runned only on Indexers or (when present) on Heavy Forwarders, so if you have only filtering configurations you don't need to put your props.conf and transpose.conf files on Search Head or Universal Forwarders (via Deployment Server).

But if in the same props.conf and transformas.conf there are other parsing settings (e.g. fied extractions, lookups definiton, etc...) in this case you have to put the conf files also in Search Head.

A least, if in the props.conf there's also the INDEXED_EXTRACTIONS option, you have also to put conf files also on Universal Forwarders (via DS).

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-08-2022 02:37 AM

Hi @michaelnorup,

filtering action is runned only on Indexers or (when present) on Heavy Forwarders, so if you have only filtering configurations you don't need to put your props.conf and transpose.conf files on Search Head or Universal Forwarders (via Deployment Server).

But if in the same props.conf and transformas.conf there are other parsing settings (e.g. fied extractions, lookups definiton, etc...) in this case you have to put the conf files also in Search Head.

A least, if in the props.conf there's also the INDEXED_EXTRACTIONS option, you have also to put conf files also on Universal Forwarders (via DS).

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-08-2022 10:44 PM

Hi @michaelnorup,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...