Splunk Cloud Platform

Field extraction: best pratice about destination app

SplunkExplorer
Contributor

Hi Splunkers, today I have a question related not on a "technical how": my doubt is related to a "best practice".

  • Environment: a Splunk Cloud combo instance (Core + Enterprise Security) with some Heavy Forwarders.
  • Task: perform some field extractions
  • Details: addon for parsing are already installed and configured, so we have not to create new ones, we should simply enrich/expand existing ones. Those addons are installed on both cloud components and HFs.

The point is this: due we already have some addon for parsing, we could simply edit their props.conf and transforms.conf files; of course, due we have addon installed on both cloud components and HFs, we have to perform changes on all of them. 
For example, performing addon editing only on cloud components with GUI Field Extraction imply that new fields will be parsed at index time on them, because they will be not pre parsed by HFs.
Plus, we know that we should create a copy of those file on local folder, to avoid editing the default one, etcetera, etcetera, etcetera. 

But, at the same time, for our SOC we created a custom app used as container to store all customizations performed by/for them, following one of Splunk best practice. We store there reports, alerts, and so on: with "we store there" I mean that, when we create something and choose an app context, we set our custom SOC one.
With this choice, we could simply perform a field extraction with GUI and assign as app context our custom one; of course, with this technique, custom regex are saved only on cloud components and not on the HFs.

So, my wondering is: when we speak about field extraction, if we consider that pre parsing performed by HF is desired but NOT mandatory, what is the best choice? Maintain all field extractions on addon or split between OOT one and custom one, using our custom SOC app?

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

If the data passes through an HF then parsing (not pre-parsing) is done by the HF.  Adding index-time extractions to the Cloud indexers will do nothing so new extractions must be added to the HF.

If the data does not pass through an HF then index-time field extraction is done by the indexers.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

If the data passes through an HF then parsing (not pre-parsing) is done by the HF.  Adding index-time extractions to the Cloud indexers will do nothing so new extractions must be added to the HF.

If the data does not pass through an HF then index-time field extraction is done by the indexers.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...