Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk ES indexer deployment

brianmarc
New Member
‎05-15-2012 11:12 AM

I see some apps that state they need to be deployed to indexers. However I see no usage of the “TRANSFORMS-” in the props.conf for the app. Is this an error in the README file or an error in my assessment of index-time field extractions?

0 Karma
Reply

LukeMurphey
Champion
‎05-15-2012 11:44 AM

"TRANSFORMS-" is not the only indication of index-time knowledge. You also need to consider:

  • CHARSET
  • TRUNCATE
  • LINE_BREAKER
  • LINE_BREAKER_LOOKBEHIND
  • SHOULD_LINEMERGE
    • BREAK_ONLY_BEFORE_DATE
    • BREAK_ONLY_BEFORE
    • MUST_BREAK_AFTER
    • MUST_NOT_BREAK_AFTER
    • MUST_NOT_BREAK_BEFORE
    • MAX_EVENTS
  • DATETIME_CONFIG
  • TIME_PREFIX
  • MAX_TIMESTAMP_LOOKAHEAD
  • TIME_FORMAT
  • TZ
  • MAX_DAYS_AGO
  • MAX_DAYS_HENCE
  • MAX_DIFF_SECS_AGO
  • MAX_DIFF_SECS_HENCE
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...