Reporting

Distributed Environment Extractions: Does REPORT in props.conf and transforms.conf regex execute on the search head or indexer?

bbthesplunk
Explorer

My company has a distributed environment with 2 Search Heads and 2 Indexers. Where does REPORT in props.conf and REGEX in transforms.conf execute? On the search head or the indexer?

The reason I ask is the Splunk_TA_cisco-asa app that extracts things such as src_ip takes an inordinate amount of time when running smart mode versus fast mode. Upon investigation it appears the extractions (REPORT/REGEX) are executing on the Indexers.

Thanks!

sowings
Splunk Employee
Splunk Employee

They'll be distributed to the indexers (by the search head) in order to run at search time to ensure that only the events you want are returned. Let's say you wanted to search by src_ip=192.168.1.1, the indexer first has to know how to extract the src_ip, so yes, those extractions will be done on the indexer, sharing the load.

The discrepancy in speed between smart mode and fast mode is expected, you might say.

0 Karma

bbthesplunk
Explorer

So I understand when an extraction is used as part of the search, but do all extractions occur on the index.

Say I do a dense search with Splunk of...

sourcetype=cisco:asa

Do all the extractions occur on the indexer or are some performed on the search head?

Thanks!

0 Karma

sowings
Splunk Employee
Splunk Employee

The fields will be extracted by the host where the data resides. In a distributed environment, this is most likely the indexers, but may be the search head as well.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...