I'm wondering where do search time extractions happen on search head or on indexer as we keep props and transforms on the search head.
Hello @atulpatel,
Search time extractions happen on the indexer. But we keep props.conf and transforms.conf on the search head right? Answer is Knowledge Bundle. props.conf and transforms.conf is part of the knowledge bundle and Search head regularly sends the knowledge bundle to the indexer.
Please read more here - https://docs.splunk.com/Documentation/Splunk/7.2.6/DistSearch/Whatsearchheadssend
Hello @atulpatel,
Search time extractions happen on the indexer. But we keep props.conf and transforms.conf on the search head right? Answer is Knowledge Bundle. props.conf and transforms.conf is part of the knowledge bundle and Search head regularly sends the knowledge bundle to the indexer.
Please read more here - https://docs.splunk.com/Documentation/Splunk/7.2.6/DistSearch/Whatsearchheadssend
Do search head replicate the knowledge bundle?
Yes, If standalone search, if it is SHC then captain node replicates knowledge bundle to cluster.
Hi @atulpatel,
First thing to note is that the search head sends a knowledge bundle to the indexers containing most of your configuration files, so even though you have your props.conf
and transforms.conf
on your SH, this will get pushed down to the indexers. You can read more about it here:
https://docs.splunk.com/Documentation/Splunk/7.3.0/DistSearch/Whatsearchheadssend#What_the_knowledge...
Second is your original question "where do search time extractions happen", the answer to that is it depends. If you're running and search like this in verbose :
index=test sourcetype=abc
Then the extraction happens on the indexers and is sent to the search heads.
If you're running a search like this one :
index=test sourcetype=abc | stats count by _raw | rex field=_raw "youRegularExpressionHere"
This rex
happens on the search head as the data is already there and the extraction is happening on the fetched data.
So it all really depends on what time the extractions are happening in your search.
Cheers,
David