I have a configuration working perfectly in development in an environment with a single Splunk instance.
This is the relevant part of props.conf
, which we've put on the indexer so that the index-time transformation will be performed:
[host::DoubleClick]
SEDCMD-01_DoubleClickDelimSpacer = y/þ/, /
[mysourcetype1]
CHARSET = ISO-8859-1
[mysourcetype2]
CHARSET = ISO-8859-1
The SEDCMD
is not working at all - the data is not being transformed. As I said, if I do this in an environment where the search head and the indexer are one and the same, and all my search-time field extractions are in the same props.conf
as the above, everything works.
The CHARSET
must be set correctly for Splunk to read the file correctly; I tried specifying it in the host stanza with the SEDCMD
and it didn't help.
The production environment is running 4.3.0
, while the dev environment is running 4.3.2
.
Anyone got any tips?
As with http://splunk-base.splunk.com/answers/11680/sedcmd-not-executing, if there is a heavy forwarder processing the data before the indexer, the SEDCMD and other parsing happens there.
See http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings for more details
As with http://splunk-base.splunk.com/answers/11680/sedcmd-not-executing, if there is a heavy forwarder processing the data before the indexer, the SEDCMD and other parsing happens there.
See http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings for more details
Cracked it - looks like the character encoding had to be set on the forwarder, rather than on the indexer. I created a props.conf on the forwarder and set it in there and everything worked. Strange that the encoding handling is done on the forwarder when it's not doing any indexing.