Solved: Where index time extraction will happen?

VatsalJagani · ‎07-05-2020

I've below Splunk architecture in my environment.

Universal Forwarders (Linux and Windows) -> Heavy Forwarder -> Indexers (cluster)

I want to know where the index-time field extraction will happen?

On Heavy forwarder
On Indexers
On both (in this case, will indexer overrides the fields extracted by HF?)

Are there any specific properties in props/transforms which execute on a specific component in a distributed environment?

isoutamo · ‎07-05-2020

Hi

if you have HFS on path then extractions will happen on the first non UF Splunk Enterprise instance (HF - IDX, if there are several HFs on lane then the first one is the correct place).

r. Ismo

View solution in original post

isoutamo · ‎07-05-2020

Hi

if you have HFS on path then extractions will happen on the first non UF Splunk Enterprise instance (HF - IDX, if there are several HFs on lane then the first one is the correct place).

r. Ismo

gjanders · ‎07-05-2020

@isoutamo's answer is valid but the https://www.aplura.com/assets/pdf/where_to_put_props.pdf document will explain this in a bit more detail

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

VatsalJagani · ‎07-05-2020

@gjanders - Thanks, this is really helpful diagram.

Where index time extraction will happen?

indexer

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!