Re: Setting props.conf on the search head or clust...

mah · ‎09-01-2021

Hi,

I want to know what is the difference between setting props.conf on the search head instead or on the cluster master in a distributed environment. (1 Search head, 1 CM, 2 IDX for example)

I have to set an field extraction from custom logs, and so set EXTRACT-fields parameter in a props.conf with the corresponding regex and I was wondering this above question.

If someone can help me to understand, it will be nice.

Thanks.

PickleRick · ‎09-01-2021

Desired location of props.conf depends on the effect you want to achieve. If you want search-time extractions, you need props.conf and transforms.conf on search-heads (either put there directly or distributed from the deployer). If you want indexed field extraction, you need to put the files on the server(s) in the ingest path (indexers and/or heavy forwarders).

There would be no point in defining search-time extraction on indexers as there is no point of defining ingest time indexed field extractions on search heads.

Of course you can make "common" props.conf and transforms.conf containing both types of configurations and put them on both layers of your environment. This way only settings relevant to the appropriate layer would be in effect, the rest of the settings would be ignored.

Setting props.conf on the search head or cluster master

field extraction

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!