- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Index time SEDCMD not applying when indexer is spl...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a configuration working perfectly in development in an environment with a single Splunk instance.
This is the relevant part of props.conf, which we've put on the indexer so that the index-time transformation will be performed:
[host::DoubleClick]
SEDCMD-01_DoubleClickDelimSpacer = y/þ/, /
[mysourcetype1]
CHARSET = ISO-8859-1
[mysourcetype2]
CHARSET = ISO-8859-1
The SEDCMD is not working at all - the data is not being transformed. As I said, if I do this in an environment where the search head and the indexer are one and the same, and all my search-time field extractions are in the same props.conf as the above, everything works.
The CHARSET must be set correctly for Splunk to read the file correctly; I tried specifying it in the host stanza with the SEDCMD and it didn't help.
The production environment is running 4.3.0, while the dev environment is running 4.3.2.
Anyone got any tips?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As with http://splunk-base.splunk.com/answers/11680/sedcmd-not-executing, if there is a heavy forwarder processing the data before the indexer, the SEDCMD and other parsing happens there.
See http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings for more details
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As with http://splunk-base.splunk.com/answers/11680/sedcmd-not-executing, if there is a heavy forwarder processing the data before the indexer, the SEDCMD and other parsing happens there.
See http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings for more details
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cracked it - looks like the character encoding had to be set on the forwarder, rather than on the indexer. I created a props.conf on the forwarder and set it in there and everything worked. Strange that the encoding handling is done on the forwarder when it's not doing any indexing.
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
