Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Transforms within cluster not working

jorambokma
Explorer
‎03-11-2021 06:42 AM

Hi,

Within our splunk environment we have 1 search head, 3 search peers, 1 deployer/master/license and 500+ UF. The uf's are configerd with WMI monitoring. 

Since the field DisplayName from the WMI output isn't correct extracted, I would like to perform a custom extraction at index time. I know that the search time extractions are the best practice, but since it is a lot of data i would like to do this at index time.

So this is what I did;

Deployed prop.conf and tranforms.conf on the search peers.

Props.conf

 

[source::WMI...]
TRANSFORMS-Display = DisplayNametrans
SHOULD_LINEMERGE = false

 

transforms.conf

 

[DisplayNametrans]
REGEX = DisplayName=(?<DisplayName2>.*)\nName
FORMAT = DisplayName2::$1
WRITE_META = true

 

Created fields.conf on the search head

fields.conf

 

[DisplayName2]
INDEXED=true

 

 

After restarting everything, nothing happend....

To troubleshoot a little further, I changed the function TRANSFORMS-Display to REPORT-Display and then it's working which means my regex works...

Does somebody has an idea what i do wrong?

Kind regards, Joram

0 Karma
Reply

scelikok
Champion
‎03-13-2021 03:52 AM

Hi @jorambokma,

Are you getting WMI data using a heavy forwarder? If yes you should place props.conf and transforms.conf into that HF.

If this reply helps you an upvote is appreciated.
0 Karma
Reply

jorambokma
Explorer
‎03-15-2021 01:59 AM

Hi @scelikok,

Thanks for the response.

No, the UF's send their data directly to the search peers.

0 Karma
Reply
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.

Get Updates on the Splunk Community!