Solved: Where index time extraction will happen?

VatsalJagani · ‎07-05-2020

I've below Splunk architecture in my environment.

Universal Forwarders (Linux and Windows) -> Heavy Forwarder -> Indexers (cluster)

I want to know where the index-time field extraction will happen?

On Heavy forwarder
On Indexers
On both (in this case, will indexer overrides the fields extracted by HF?)

Are there any specific properties in props/transforms which execute on a specific component in a distributed environment?

isoutamo · ‎07-05-2020

Hi

if you have HFS on path then extractions will happen on the first non UF Splunk Enterprise instance (HF - IDX, if there are several HFs on lane then the first one is the correct place).

r. Ismo

View solution in original post

isoutamo · ‎07-05-2020

Hi

if you have HFS on path then extractions will happen on the first non UF Splunk Enterprise instance (HF - IDX, if there are several HFs on lane then the first one is the correct place).

r. Ismo

gjanders · ‎07-05-2020

@isoutamo's answer is valid but the https://www.aplura.com/assets/pdf/where_to_put_props.pdf document will explain this in a bit more detail

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

VatsalJagani · ‎07-05-2020

@gjanders - Thanks, this is really helpful diagram.

Where index time extraction will happen?

indexer

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

Index This | What has goals but no motivation?

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Join the Conversation