Splunk Search

Index time SEDCMD not applying when indexer is split from search head

dbryan
Path Finder

I have a configuration working perfectly in development in an environment with a single Splunk instance.

This is the relevant part of props.conf, which we've put on the indexer so that the index-time transformation will be performed:

[host::DoubleClick]
SEDCMD-01_DoubleClickDelimSpacer = y/þ/, /
[mysourcetype1]
CHARSET = ISO-8859-1
[mysourcetype2]
CHARSET = ISO-8859-1

The SEDCMD is not working at all - the data is not being transformed. As I said, if I do this in an environment where the search head and the indexer are one and the same, and all my search-time field extractions are in the same props.conf as the above, everything works.

The CHARSET must be set correctly for Splunk to read the file correctly; I tried specifying it in the host stanza with the SEDCMD and it didn't help.

The production environment is running 4.3.0, while the dev environment is running 4.3.2.

Anyone got any tips?

Tags (3)
0 Karma
1 Solution

willthames2
Path Finder

As with http://splunk-base.splunk.com/answers/11680/sedcmd-not-executing, if there is a heavy forwarder processing the data before the indexer, the SEDCMD and other parsing happens there.

See http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings for more details

View solution in original post

0 Karma

willthames2
Path Finder

As with http://splunk-base.splunk.com/answers/11680/sedcmd-not-executing, if there is a heavy forwarder processing the data before the indexer, the SEDCMD and other parsing happens there.

See http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings for more details

0 Karma

dbryan
Path Finder

Cracked it - looks like the character encoding had to be set on the forwarder, rather than on the indexer. I created a props.conf on the forwarder and set it in there and everything worked. Strange that the encoding handling is done on the forwarder when it's not doing any indexing.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...