Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

props.conf extractions

gnovak
Builder
‎07-18-2012 09:30 AM

I have a quick question here. I have a distributed environment with about 5 indexers and then a main search head.

I have a props.conf file on 1 of the indexers and it's being used to extract data into fields. However when searching on the main search head for this data, the fields aren't present. If I search on the indexer itself where the props.conf resides, the fields are present.

Do I have to put the extractions in the props.conf on the search head as well? I would have thought putting it on the indexer was the right thing to do and that this would filter down when searching on the main search head.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gnovak
Builder
‎07-18-2012 09:33 AM

Actually nevermind! I put the extractions in the props.conf also on the search head and this resolved the issue. No worries here!

View solution in original post

Reply
Solved! Jump to solution
Solution

gnovak
Builder
‎07-18-2012 09:33 AM

Actually nevermind! I put the extractions in the props.conf also on the search head and this resolved the issue. No worries here!

Reply
Solved! Jump to solution

Jon_Webster
Splunk Employee
Splunk Employee
‎07-18-2012 09:54 AM

If you think about it, since Splunk does the field extractions at search time, and the search head has to coordinate and post-process the data coming from all the indexers, the search head must have all search-time knowledge objects.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...