Installation
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

SHC environment EXTRACT data without deployer

Thats_my_usrnme
Explorer
‎12-08-2023 10:33 PM

Hello team,

I have distrubuted environment and I got some data with syslog.  We  are create some regex for field extraction on captain SH not on Deployer (possibly this part should be search time field extraction) and everything works but I dont get it. I know captain SH replace the conf file for other SH. İs it process automatic or not? I cant see same config on deployer, I think its normal because we dont have app for this logsource just we use custom parse. İf I had a app, I can use deployer but in this case wondering custom process. Somebody can explain for me these process? why we didnt use Deployment server for HF parsing?(maybe its other way I'm not clear)

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-08-2023 10:42 PM

Hi @Thats_my_usrnme ,

you have to use Deployer to send the first version of an app to SHs.

Then every configuration update (made by GUI) is replicated to all the other Cluster members, but not to the Deployer.

If you have to make an update to the app, you have still to do it by Deployer but, anyway, the updated made on the members by GUI remain because they are in the local folders.

If you try to make an update directly to a conf file it isn't replicated to the other members.

You can find more details at https://docs.splunk.com/Documentation/Splunk/9.1.2/DistSearch/AboutSHC and https://www.youtube.com/watch?v=VPa3EjqD8Q4

Ciao.

Giuseppe

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...