Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Universal Forwarder and props.conf and transforms.conf

phoenixdigital
Builder
‎07-07-2011 05:03 PM

Just a quick question regarding the "Universal Forwarder"

I have setup my inputs.conf and outputs.conf in
/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/local/
this works perfectly

However I also wanted to perform some processing on these inputs prior to sending to the indexer.

It made sense that I would need to add props.conf and transforms.conf to this directory.

This however did not appear to work. Adding the props.conf and transforms.conf files to the indexer worked however.

Is there a way to do this on the universal forwarder or does it need to be done on the indexer?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎07-07-2011 08:42 PM

Universal Forwarder and Light Forwarder do not parse events before passing them on to the indexer. Because they do not, most props.conf and transforms.conf settings need to be done at the indexer. This is what makes these two Forwarders "lighter" than the standard "Heavy" forwarder and a Splunk indexer.

View solution in original post

Reply
Solved! Jump to solution

irwinj_125
Explorer
‎01-29-2021 09:05 AM

Apologies for my ignorance.  I've having a similar issue.

Regarding this comment:

"This however did not appear to work. Adding the props.conf and transforms.conf files to the indexer worked however."

Exactly how do you add these files to the indexer?

0 Karma
Reply
Solved! Jump to solution

DUThibault
Contributor
‎02-06-2018 12:43 PM

You can have your Universal Forwarder do the index-time work, meaning SEDCMD and TRANSFORMS, as well as sourcetyping. The trick is that the Universal Forwarder's props.conf and transforms.conf must be on the forwarder (if you edit them in /opt/splunk/etc/deployment-apps/_server_app_<forwarder_class>/local/, Splunk will send the files to the forwarders for you) and the props.conf [<sourcetype>] and [source::<source>] stanzas must have a force_local_processing = true clause. Note that if the Universal Forwarder does the indexing, the Splunk instances won't: all of the index-time work must be done on the Universal Forwarder.

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎07-07-2011 08:42 PM

Universal Forwarder and Light Forwarder do not parse events before passing them on to the indexer. Because they do not, most props.conf and transforms.conf settings need to be done at the indexer. This is what makes these two Forwarders "lighter" than the standard "Heavy" forwarder and a Splunk indexer.

Reply
Solved! Jump to solution

walterk82
Path Finder
‎03-23-2017 06:21 AM

most props.conf and transforms.conf settings need to be done at the indexer

Is there a more comprehensive definition of "most" and "works"?

0 Karma
Reply
Solved! Jump to solution

walterk82
Path Finder
‎03-23-2017 06:25 AM

Answered my own question:
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F

0 Karma
Reply
Solved! Jump to solution

phoenixdigital
Builder
‎07-12-2011 03:25 PM

Thanks for the information. Makes sense from the perspective of 'light' and 'heavy' system usage.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...