Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

which props.conf do i modify for search-time field extraction?

builder
Path Finder
‎06-14-2011 05:32 PM

I am new to splunk so forgive my ignorance. My set up is that I have splunk forwarders sending data to two load balanced indexers. I then have a search head that uses the indexers as search peers. I am reading documentation about setting up search-time field extraction in props.conf. I have been playing around with it and it's not behaving as expected. However, I just realized, I'm not sure if I am supposed to be modifying props.conf on my search head or on my indexers. I was doing it on my search head with no success, but then it occurred to me that since the search head uses the indexers as search peers, maybe it should be done there? Can anyone confirm the correct place to put the field extractions?

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎06-14-2011 05:56 PM

You should be putting search-time configuration onto your search head. Look at http://www.splunk.com/base/Documentation/latest/Deploy/Whatisdistributedsearch under "What search heads send to search peers". When you do a distributed search, the search head will replicate its search-time configuration data to all of the search peer indexers.

Now, considering this is what you have done, I'm not sure what needs to be done to further diagnose why your extractions are not working as desired. You should probably check your various splunkd.log files for error messages related to bundle replication.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎06-14-2011 05:56 PM

You should be putting search-time configuration onto your search head. Look at http://www.splunk.com/base/Documentation/latest/Deploy/Whatisdistributedsearch under "What search heads send to search peers". When you do a distributed search, the search head will replicate its search-time configuration data to all of the search peer indexers.

Now, considering this is what you have done, I'm not sure what needs to be done to further diagnose why your extractions are not working as desired. You should probably check your various splunkd.log files for error messages related to bundle replication.

0 Karma
Reply
Solved! Jump to solution

builder
Path Finder
‎06-16-2011 10:44 AM

Just going to start a new thread as this one seems to have died. : P

0 Karma
Reply
Solved! Jump to solution

builder
Path Finder
‎06-15-2011 10:14 AM

Thanks! The field is showing up in search results now. I had an invalid character in my field name. I accidentally used - instead of _. Now I have a new problem. I can see the field and all valid values of the field with relative percentages. However, if I click on one of those values to search by it, I get 0 results/No matching events found. Given that it just showed me the count of all the events with that value, that doesn't seem right. Note that if I search by field="*", I get all results, but any specific value returns no results. Has anyone seen that before? Should I start a new thread?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...