Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Question on Props and Transforms ?

Hemnaath
Motivator
‎06-05-2018 05:55 AM

Hi had a question from my security team that is, where it will be highly secure to palace the props and transforms configuration file in the splunk environment.

I had answered him as Heavy forwarder / Indexer. But not sure whether my answer is correct or not, could please answer this.

thanks in advance.

Tags (2)
0 Karma
Reply

FrankVl
Ultra Champion
‎06-05-2018 06:40 AM
  1. props and transforms files need to be in specific locations for Splunk to read them. (typically either in etc/system/local or in separate apps under etc/apps/)
  2. props and transforms need to go on the relevant component, depending on the type of config in them (index time config needs to be on HF / Indexer, search time config should be on your SHs), you can't freely choose that

Can you provide some context around this question? What requirements do they have to keep these files "highly secure"? What does that mean and what do they want to protect these files from?

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...