Solved: Why is indexed extraction not happening when the d...

koshyk · ‎04-25-2019

Hi,

We have a quite a "piggy backed" data coming from a system and extracting as

[mysourcetype]
SHOULD_LINEMERGE=false
INDEXED_EXTRACTIONS=CSV
FIELD_NAMES=Date,Time,EmployeeID,EmployeeName
TIMESTAMP_FIELDS=Date,Time

(A) System Data collected using UF => (B) Sent to Heavy Forwarder => (C) HF to Indexer => (D) Clustered SH

We have the

inputs.conf in (A)
props.conf with INDEXED_EXTRACTIONS=CSV in (B) , (C) & (D)

Directly indexing the file works perfectly in standalone Splunk Instance.
But when the data comes via the UF, the indexed extraction is not happening.

Any reasons for this? Should we add props.conf to UF?

marthodder · ‎04-25-2019

You're correct - You will need to add INDEXED_EXTRACTIONS=CSV in a props.conf for local deployment to each of the hosts.

[sourcetype] 
INDEXED_EXTRACTIONS=CSV

View solution in original post

marthodder · ‎04-25-2019

You're correct - You will need to add INDEXED_EXTRACTIONS=CSV in a props.conf for local deployment to each of the hosts.

[sourcetype] 
INDEXED_EXTRACTIONS=CSV

koshyk · ‎04-25-2019

thanks for the tip.
UF also requires the props.conf

Why is indexed extraction not happening when the data comes via the UF?

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

Preparing your Splunk Environment for OpenSSL3

Incident Response: Reduce Incident Recurrence with Automated Ticket Creation