Splunk Cloud Platform

Field extraction: best pratice about destination app

SplunkExplorer
Contributor

Hi Splunkers, today I have a question related not on a "technical how": my doubt is related to a "best practice".

  • Environment: a Splunk Cloud combo instance (Core + Enterprise Security) with some Heavy Forwarders.
  • Task: perform some field extractions
  • Details: addon for parsing are already installed and configured, so we have not to create new ones, we should simply enrich/expand existing ones. Those addons are installed on both cloud components and HFs.

The point is this: due we already have some addon for parsing, we could simply edit their props.conf and transforms.conf files; of course, due we have addon installed on both cloud components and HFs, we have to perform changes on all of them. 
For example, performing addon editing only on cloud components with GUI Field Extraction imply that new fields will be parsed at index time on them, because they will be not pre parsed by HFs.
Plus, we know that we should create a copy of those file on local folder, to avoid editing the default one, etcetera, etcetera, etcetera. 

But, at the same time, for our SOC we created a custom app used as container to store all customizations performed by/for them, following one of Splunk best practice. We store there reports, alerts, and so on: with "we store there" I mean that, when we create something and choose an app context, we set our custom SOC one.
With this choice, we could simply perform a field extraction with GUI and assign as app context our custom one; of course, with this technique, custom regex are saved only on cloud components and not on the HFs.

So, my wondering is: when we speak about field extraction, if we consider that pre parsing performed by HF is desired but NOT mandatory, what is the best choice? Maintain all field extractions on addon or split between OOT one and custom one, using our custom SOC app?

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

If the data passes through an HF then parsing (not pre-parsing) is done by the HF.  Adding index-time extractions to the Cloud indexers will do nothing so new extractions must be added to the HF.

If the data does not pass through an HF then index-time field extraction is done by the indexers.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

If the data passes through an HF then parsing (not pre-parsing) is done by the HF.  Adding index-time extractions to the Cloud indexers will do nothing so new extractions must be added to the HF.

If the data does not pass through an HF then index-time field extraction is done by the indexers.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...