Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Where do search time extractions happen?

atulpatel
Explorer
‎06-19-2019 07:39 AM

I'm wondering where do search time extractions happen on search head or on indexer as we keep props and transforms on the search head.

Reply
1 Solution
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎06-19-2019 11:43 PM

Hello @atulpatel,

Search time extractions happen on the indexer. But we keep props.conf and transforms.conf on the search head right? Answer is Knowledge Bundle. props.conf and transforms.conf is part of the knowledge bundle and Search head regularly sends the knowledge bundle to the indexer.
Please read more here - https://docs.splunk.com/Documentation/Splunk/7.2.6/DistSearch/Whatsearchheadssend

View solution in original post

Reply
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎06-19-2019 11:43 PM

Hello @atulpatel,

Search time extractions happen on the indexer. But we keep props.conf and transforms.conf on the search head right? Answer is Knowledge Bundle. props.conf and transforms.conf is part of the knowledge bundle and Search head regularly sends the knowledge bundle to the indexer.
Please read more here - https://docs.splunk.com/Documentation/Splunk/7.2.6/DistSearch/Whatsearchheadssend

Reply
Solved! Jump to solution

atulpatel
Explorer
‎06-20-2019 05:14 AM

Do search head replicate the knowledge bundle?

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎06-20-2019 06:24 AM

Yes, If standalone search, if it is SHC then captain node replicates knowledge bundle to cluster.

Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎06-19-2019 10:07 AM

Hi @atulpatel,

First thing to note is that the search head sends a knowledge bundle to the indexers containing most of your configuration files, so even though you have your props.conf and transforms.conf on your SH, this will get pushed down to the indexers. You can read more about it here:
https://docs.splunk.com/Documentation/Splunk/7.3.0/DistSearch/Whatsearchheadssend#What_the_knowledge...

Second is your original question "where do search time extractions happen", the answer to that is it depends. If you're running and search like this in verbose :

index=test sourcetype=abc

Then the extraction happens on the indexers and is sent to the search heads.
If you're running a search like this one :

  index=test sourcetype=abc | stats count by _raw | rex field=_raw "youRegularExpressionHere"

This rex happens on the search head as the data is already there and the extraction is happening on the fetched data.

So it all really depends on what time the extractions are happening in your search.

Cheers,
David

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...