Splunk Search

Index time SEDCMD not applying when indexer is split from search head

dbryan
Path Finder

I have a configuration working perfectly in development in an environment with a single Splunk instance.

This is the relevant part of props.conf, which we've put on the indexer so that the index-time transformation will be performed:

[host::DoubleClick]
SEDCMD-01_DoubleClickDelimSpacer = y/þ/, /
[mysourcetype1]
CHARSET = ISO-8859-1
[mysourcetype2]
CHARSET = ISO-8859-1

The SEDCMD is not working at all - the data is not being transformed. As I said, if I do this in an environment where the search head and the indexer are one and the same, and all my search-time field extractions are in the same props.conf as the above, everything works.

The CHARSET must be set correctly for Splunk to read the file correctly; I tried specifying it in the host stanza with the SEDCMD and it didn't help.

The production environment is running 4.3.0, while the dev environment is running 4.3.2.

Anyone got any tips?

Tags (3)
0 Karma
1 Solution

willthames2
Path Finder

As with http://splunk-base.splunk.com/answers/11680/sedcmd-not-executing, if there is a heavy forwarder processing the data before the indexer, the SEDCMD and other parsing happens there.

See http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings for more details

View solution in original post

0 Karma

willthames2
Path Finder

As with http://splunk-base.splunk.com/answers/11680/sedcmd-not-executing, if there is a heavy forwarder processing the data before the indexer, the SEDCMD and other parsing happens there.

See http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings for more details

View solution in original post

0 Karma

dbryan
Path Finder

Cracked it - looks like the character encoding had to be set on the forwarder, rather than on the indexer. I created a props.conf on the forwarder and set it in there and everything worked. Strange that the encoding handling is done on the forwarder when it's not doing any indexing.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!