Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Transforms and props files on splunk universal forwarder?

splunkatl
Path Finder
‎06-20-2012 07:45 AM

we have splunk main and four splunk universal forwarders.I do not have access to physical box of splunk main which was maintained by some other admins from different group .everytime I have to request the folks to copy the transforms and props files to right folder on splunk main server (/splunk\etc\apps\appnamePOC\local).
can I place these files on my splunkuniversalforwarder machines rather asking admin to copy on splunk main folders
All I need is palce the files to splunkforwarder\etc\apps\appnamePOC\local. will that work?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎06-20-2012 08:51 AM

This will not work. The universal forwarder does not parse data and your props/transforms will be ignored, as they happen where data is parsed. This happens at 1) a heavy forwarder, or 2) an indexer.

View solution in original post

Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎12-05-2015 03:55 AM

Indexed_extractions must be done on the universal forwarder. This answer is for folks using indexed_extractions only. If you're struggling getting your props to work, you might consider placing it on the UF now.

http://docs.splunk.com/Documentation/Splunk/6.2.0/admin/Configurationparametersandthedatapipeline

Data pipeline phase --- Components that can perform this role
Input --- indexer , universal forwarder , heavy forwarder
Parsing ---- indexer, heavy forwarder, light/universal forwarder (in conjunction with the INDEXED_EXTRACTIONS attribute only)
Indexing ---indexer
Search ---indexer,search head

Reply
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎06-20-2012 08:51 AM

This will not work. The universal forwarder does not parse data and your props/transforms will be ignored, as they happen where data is parsed. This happens at 1) a heavy forwarder, or 2) an indexer.

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-15-2014 09:54 AM

Props.conf (and subsequently) applies to a particular sourcetype( or source/host). You have ensure that universal forwarder ->inputs.conf have correct sourcetype (or any other) assignment.

0 Karma
Reply
Solved! Jump to solution

Strunk
Explorer
‎07-15-2014 09:49 AM

So how would you tell the indexer to only apply a props/transforms to a particular monitor on a particular universal forwarder?

0 Karma
Reply
Solved! Jump to solution

jbsplunk
Splunk Employee
Splunk Employee
‎06-20-2012 09:09 AM

Glad to be able to help clear things up for you.

0 Karma
Reply
Solved! Jump to solution

splunkatl
Path Finder
‎06-20-2012 09:08 AM

Thank you for quick response.

0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...