Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Universal Forwarder and props.conf and transforms.conf

phoenixdigital
Builder
‎07-07-2011 05:03 PM

Just a quick question regarding the "Universal Forwarder"

I have setup my inputs.conf and outputs.conf in
/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/local/
this works perfectly

However I also wanted to perform some processing on these inputs prior to sending to the indexer.

It made sense that I would need to add props.conf and transforms.conf to this directory.

This however did not appear to work. Adding the props.conf and transforms.conf files to the indexer worked however.

Is there a way to do this on the universal forwarder or does it need to be done on the indexer?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎07-07-2011 08:42 PM

Universal Forwarder and Light Forwarder do not parse events before passing them on to the indexer. Because they do not, most props.conf and transforms.conf settings need to be done at the indexer. This is what makes these two Forwarders "lighter" than the standard "Heavy" forwarder and a Splunk indexer.

View solution in original post

Reply
Solved! Jump to solution

irwinj_125
Explorer
‎01-29-2021 09:05 AM

Apologies for my ignorance.  I've having a similar issue.

Regarding this comment:

"This however did not appear to work. Adding the props.conf and transforms.conf files to the indexer worked however."

Exactly how do you add these files to the indexer?

0 Karma
Reply
Solved! Jump to solution

DUThibault
Contributor
‎02-06-2018 12:43 PM

You can have your Universal Forwarder do the index-time work, meaning SEDCMD and TRANSFORMS, as well as sourcetyping. The trick is that the Universal Forwarder's props.conf and transforms.conf must be on the forwarder (if you edit them in /opt/splunk/etc/deployment-apps/_server_app_<forwarder_class>/local/, Splunk will send the files to the forwarders for you) and the props.conf [<sourcetype>] and [source::<source>] stanzas must have a force_local_processing = true clause. Note that if the Universal Forwarder does the indexing, the Splunk instances won't: all of the index-time work must be done on the Universal Forwarder.

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎07-07-2011 08:42 PM

Universal Forwarder and Light Forwarder do not parse events before passing them on to the indexer. Because they do not, most props.conf and transforms.conf settings need to be done at the indexer. This is what makes these two Forwarders "lighter" than the standard "Heavy" forwarder and a Splunk indexer.

Reply
Solved! Jump to solution

walterk82
Path Finder
‎03-23-2017 06:21 AM

most props.conf and transforms.conf settings need to be done at the indexer

Is there a more comprehensive definition of "most" and "works"?

0 Karma
Reply
Solved! Jump to solution

walterk82
Path Finder
‎03-23-2017 06:25 AM

Answered my own question:
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F

0 Karma
Reply
Solved! Jump to solution

phoenixdigital
Builder
‎07-12-2011 03:25 PM

Thanks for the information. Makes sense from the perspective of 'light' and 'heavy' system usage.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...