Transforms within cluster not working

jorambokma · ‎03-11-2021

Hi,

Within our splunk environment we have 1 search head, 3 search peers, 1 deployer/master/license and 500+ UF. The uf's are configerd with WMI monitoring.

Since the field DisplayName from the WMI output isn't correct extracted, I would like to perform a custom extraction at index time. I know that the search time extractions are the best practice, but since it is a lot of data i would like to do this at index time.

So this is what I did;

Deployed prop.conf and tranforms.conf on the search peers.

Props.conf

[source::WMI...]
TRANSFORMS-Display = DisplayNametrans
SHOULD_LINEMERGE = false

transforms.conf

[DisplayNametrans]
REGEX = DisplayName=(?<DisplayName2>.*)\nName
FORMAT = DisplayName2::$1
WRITE_META = true

Created fields.conf on the search head

fields.conf

[DisplayName2]
INDEXED=true

After restarting everything, nothing happend....

To troubleshoot a little further, I changed the function TRANSFORMS-Display to REPORT-Display and then it's working which means my regex works...

Does somebody has an idea what i do wrong?

Kind regards, Joram

scelikok · ‎03-13-2021

Hi @jorambokma,

Are you getting WMI data using a heavy forwarder? If yes you should place props.conf and transforms.conf into that HF.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

jorambokma · ‎03-15-2021

Hi @scelikok,

Thanks for the response.

No, the UF's send their data directly to the search peers.