SHC environment EXTRACT data without deployer


Hello team,

I have distrubuted environment and I got some data with syslog.  We  are create some regex for field extraction on captain SH not on Deployer (possibly this part should be search time field extraction) and everything works but I dont get it. I know captain SH replace the conf file for other SH. İs it process automatic or not? I cant see same config on deployer, I think its normal because we dont have app for this logsource just we use custom parse. İf I had a app, I can use deployer but in this case wondering custom process. Somebody can explain for me these process? why we didnt use Deployment server for HF parsing?(maybe its other way I'm not clear)


Labels (1)
Tags (2)
0 Karma


Hi @Thats_my_usrnme ,

you have to use Deployer to send the first version of an app to SHs.

Then every configuration update (made by GUI) is replicated to all the other Cluster members, but not to the Deployer.

If you have to make an update to the app, you have still to do it by Deployer but, anyway, the updated made on the members by GUI remain because they are in the local folders.

If you try to make an update directly to a conf file it isn't replicated to the other members.

You can find more details at and



Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...