Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Standalone SH pulling data from Indexer Clustering - but indexer time settings not being applied by default.

gnagasri
Engager
‎10-07-2025 01:50 AM

Existing Env :

1. Indexer Clustering

2. Search head Clustering.

For testing an Issue. I have a a standalone searchhead instance pulling data from the indexer cluster ( successfully setup - seperate from the existing searchhead clustering) and able to fetch data from all the search peers as well. 

But, I dont see any index time settings of props or transforms being applied to the data when i view from the standalone searchhead. I have manually added a single app settings in /etc/system/default and /etc/system/local , it works. I have many applications which have to be applied.

 

Can you please provide me an easy splution if possible, of the existing custom app settings of the indexer clustering environment be applied when queried from my standalone searchhead.

Labels (2)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-07-2025 07:53 AM

1. You should never touch contents of system/default or <app>/default.

2. You'd better not touch system/local either. It's best to put settings into apps.

3. I suspect there is some misunderstanding index-time props and transforms happen before search time. And these reside and are done on indexers and/or HFs. And with modern Splunk versions even indexed fields usually don't rely on the configuration as much as they used to so most if not all indexed fields should be shown in your search results.

You probably mean the search-time settings (field extractions, eventtypes, tags and so on). Unfortunately, there is no "fire and forget" way of migrating them from one instance to another. You might try copying etc/shcluster/apps from your deployer (you have a SH cluster, right?) to etc/apps on your stand-alone SH but that might not cover all content.

Alternatively you can copy etc/apps from one of the SHC members. But again -that might not cover all content, especially users' private content.

And there might be also some settings in system/local (which - as I said before - should generally be avoided).

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-08-2025 01:15 AM

Quite probably this is your issue.

I expecting that you have some default in your SHC's Deployer for those apps, but then you have lot of changes done via SHC's GUI. Those are not present in Deployer. Then if you have also some configuration which permissions is private then those are not even inside .../etc/apps/<app name> and you cannot get that information before you have change permission for those KOs to app instead of private.

Then probably biggest issue is that your users have done those changes inside default "search and reporting" app. Then basically what you should/must do is create a separate app then move those into that app and there export it and install it into your separate SH.

But it's hard to say what you must exactly do, without seeing your environment. So maybe it's best to get some local Splunk Partner/Consultant which can come to your place and look it together with you.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎10-07-2025 03:07 AM

Hi @gnagasri 

Can you please give examples of index-time settings which are not being applied on your adhoc SH? The index-time settings only need to be on the indexers if they are receiving the data - it sounds more likely that there are some search-time parsing configurations which are on your SHC but not applied to your adhoc searchhead.

You will need to copy the apps containing the props/transforms/fields/lookups etc from your SHC to your adhoc SH (and then restart it) for these settings to apply.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...