Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Heavy Forwarder Transforms

ferdousfahim
Engager
‎08-14-2024 02:41 AM

Hi, 

I have a Splunk Heavy Forwarder routing data to a Splunk Indexer. I also have a search head configured that performs distributed search on my indexer.

My Heavy forwarder has a forwarding license, so it does not index the data. However, I still want to use props.conf and transforms.conf on my forwarder. These configs are:

===============================================================

transforms.conf
[extract_syslog_fields]
DELIMS = "|"
FIELDS = "datetime", "syslog_level", "syslog_source", "syslog_message"
===============================================================
props.conf
[router_syslog]
TIME_FORMAT = %a %b %d %H:%M:%S %Y
MAX_TIMESTAMP_LOOKAHEAD = 24
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TRUNCATE = 10000
TRANSFORMS-extracted_fields = extract_syslog_fields



So what I expected is that when I search the index on my search head, I would see the fields  "datetime", "syslog_level", "syslog_source", "syslog_message" . However, this does not occur. On the otherhand, if I configure field extractions on the search-head, this works just fine and my syslog data is split up into those fields.

Am I misunderstanding how Transforms work ? Is the heavy forwarder incapable of splitting up my syslog into different fields based on a delimiter because it's not indexing the data ? 


Any help or advice would be highly appreciated. Thank you so much!

Labels (3)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-14-2024 07:33 AM

Hi @ferdousfahim ,

I usually use this transformations at search time, but to apply them on Forwarders, you have to use INDEXED_EXTRACTIONS=CSV in props.conf, for more infos see at https://docs.splunk.com/Documentation/Splunk/9.3.0/Data/Extractfieldsfromfileswithstructureddata

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...