Splunk Search

props/transforms combination not working since switching from indexing locally forwarding

mjones414
Contributor

props.conf:
[pbs:status]
TRANSFORMS-pbs_set_host = pbs_set_host
BREAK_ONLY_BEFORE = (^name1|^name2|^name3|^name4|^name5|^name6|^name7|^name8|^name9)
NO_BINARY_CHECK = 1
pulldown_type = 1

transforms.conf:
[pbs_set_host]
DEST_KEY = MetaData:Host
REGEX = /^(.*)$/m
FORMAT = host::$1

The data originates from a script running on a search head. While indexing at a search head, it would successfully reset the hostname according to the regex. I've since started having the search head forward that data to indexers and copied the props and transforms to the indexers, and issues a /debug/refresh and also tried a | extract reload=T, but the transform is no longer applying and the host name is remaining the host running the script. how can I configure this for the regex to work properly again in a forwarded scenario?

0 Karma

Ayn
Legend

The search head is a full instance of Splunk so it will perform parsing, and therefore your settings for transforming the events should still go on the search head even if you're forwarding them to the indexers. Once data arrives at the indexers it will already have been "cooked" by the search head, so the indexers won't do anything with it.

mjones414
Contributor

I will try kicking the search head in an hour or so to see if it makes a difference. 🙂 Thanks fore the help! If that works I'll make sure to still give you credit
!

0 Karma

Ayn
Legend

Did you restart the Splunk instances or just issue a /debug/refresh + extract reload=t? The latter ones don't apply to any index-time configurations so in order for any of this kind of settings to take effect you need to restart. It's a long shot, but still... 😉

0 Karma

mjones414
Contributor

The thing is I never removed or remarked out the props/transforms on the search head either. Essentially once I setup an outputs.conf to autoLB across indexers, all stopped working even though I copied both stanza's over to all indexers in the LB group

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...