Having a strange issue. I am trying to set up a transform to automatically extract key/value pairs from a non standard XML file. I have a local Splunk instance where I did this development. Here is what I did:
Did a Add New of a data source
Selected a local copy of the XML file
The data was read once (not set to monitor the file)
Data was indexed into an index called 'app_test'
Data is in the Search app
I then went ahead and updated my props.conf and transforms.conf in my $SPLUNK_ROOT/etc/apps/search/local
REPORT-myXmlClassName = xmlTransform
REGEX = \<(\w+[^\n\/\>]+)\/?\>([^\<\n][^\<]*)\<
FORMAT = $1::$2
The extraction worked beautifully. So next I went to go add it to my clustered environment. I have the XML data being indexed to an index called app_dmwt. I also created an app called 'DMWT'. I created similar additions to the props.conf and transforms.conf, but this time put it in $SPLUNK_ROOT/etc/shcluster/app/DMWT/default . Note that the difference here is that instead of doing an add datasource from the UI, I have a forwarder monitoring 3 files each as their own sourcetype.
Yea, the transforming is done on the indexers, not the search heads.
But I am also wondering why you tried to deploy the changes in the "default" directory. This is only done when you deploy the first time. When you update the configuration, you usually store it under \local\ and don't change \default\ files..