Solved: Where index time extraction will happen?

VatsalJagani · ‎07-05-2020

I've below Splunk architecture in my environment.

Universal Forwarders (Linux and Windows) -> Heavy Forwarder -> Indexers (cluster)

I want to know where the index-time field extraction will happen?

On Heavy forwarder
On Indexers
On both (in this case, will indexer overrides the fields extracted by HF?)

Are there any specific properties in props/transforms which execute on a specific component in a distributed environment?

soutamo · ‎07-05-2020

Hi

if you have HFS on path then extractions will happen on the first non UF Splunk Enterprise instance (HF - IDX, if there are several HFs on lane then the first one is the correct place).

r. Ismo

View solution in original post

soutamo · ‎07-05-2020

Hi

if you have HFS on path then extractions will happen on the first non UF Splunk Enterprise instance (HF - IDX, if there are several HFs on lane then the first one is the correct place).

r. Ismo

View solution in original post

gjanders · ‎07-05-2020

@soutamo's answer is valid but the https://www.aplura.com/assets/pdf/where_to_put_props.pdf document will explain this in a bit more detail

VatsalJagani · ‎07-05-2020

@gjanders - Thanks, this is really helpful diagram.

Where index time extraction will happen?

indexer

Don't miss your chance to share your Splunk wisdom in-person or virtually at .conf21!Call for Speakers hasbeen extended throughThursday, 5/20! Submit Now! >

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!

Submit Now! >