Solved: Where index time extraction will happen?

VatsalJagani · ‎07-05-2020

I've below Splunk architecture in my environment.

Universal Forwarders (Linux and Windows) -> Heavy Forwarder -> Indexers (cluster)

I want to know where the index-time field extraction will happen?

On Heavy forwarder
On Indexers
On both (in this case, will indexer overrides the fields extracted by HF?)

Are there any specific properties in props/transforms which execute on a specific component in a distributed environment?

isoutamo · ‎07-05-2020

Hi

if you have HFS on path then extractions will happen on the first non UF Splunk Enterprise instance (HF - IDX, if there are several HFs on lane then the first one is the correct place).

r. Ismo

View solution in original post

isoutamo · ‎07-05-2020

Hi

if you have HFS on path then extractions will happen on the first non UF Splunk Enterprise instance (HF - IDX, if there are several HFs on lane then the first one is the correct place).

r. Ismo

gjanders · ‎07-05-2020

@isoutamo's answer is valid but the https://www.aplura.com/assets/pdf/where_to_put_props.pdf document will explain this in a bit more detail

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

VatsalJagani · ‎07-05-2020

@gjanders - Thanks, this is really helpful diagram.

Where index time extraction will happen?

indexer

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?

Where index time extraction will happen?

indexer

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25