I've below Splunk architecture in my environment.
Universal Forwarders (Linux and Windows) -> Heavy Forwarder -> Indexers (cluster)
I want to know where the index-time field extraction will happen?
Are there any specific properties in props/transforms which execute on a specific component in a distributed environment?
if you have HFS on path then extractions will happen on the first non UF Splunk Enterprise instance (HF - IDX, if there are several HFs on lane then the first one is the correct place).
View solution in original post
@soutamo's answer is valid but the https://www.aplura.com/assets/pdf/where_to_put_props.pdf document will explain this in a bit more detail
@gjanders - Thanks, this is really helpful diagram.