Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Where index time extraction will happen?

VatsalJagani
SplunkTrust
SplunkTrust
‎07-05-2020 09:32 AM

I've below Splunk architecture in my environment.

Universal Forwarders (Linux and Windows) -> Heavy Forwarder -> Indexers (cluster)

I want to know where the index-time field extraction will happen?

  • On Heavy forwarder
  • On Indexers
  • On both (in this case, will indexer overrides the fields extracted by HF?)

 

Are there any specific properties in props/transforms which execute on a specific component in a distributed environment?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-05-2020 09:40 AM

Hi

if you have HFS on path then extractions will happen on the first non UF Splunk Enterprise instance (HF - IDX, if there are several HFs on lane then the first one is the correct place).

r. Ismo

View solution in original post

Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-05-2020 09:40 AM

Hi

if you have HFS on path then extractions will happen on the first non UF Splunk Enterprise instance (HF - IDX, if there are several HFs on lane then the first one is the correct place).

r. Ismo

Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎07-05-2020 06:04 PM

@isoutamo's answer is valid but the https://www.aplura.com/assets/pdf/where_to_put_props.pdf document will explain this in a bit more detail

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎07-05-2020 09:21 PM

@gjanders  - Thanks, this is really helpful diagram.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...