Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

which props.conf do i modify for search-time field extraction?

builder
Path Finder
‎06-14-2011 05:32 PM

I am new to splunk so forgive my ignorance. My set up is that I have splunk forwarders sending data to two load balanced indexers. I then have a search head that uses the indexers as search peers. I am reading documentation about setting up search-time field extraction in props.conf. I have been playing around with it and it's not behaving as expected. However, I just realized, I'm not sure if I am supposed to be modifying props.conf on my search head or on my indexers. I was doing it on my search head with no success, but then it occurred to me that since the search head uses the indexers as search peers, maybe it should be done there? Can anyone confirm the correct place to put the field extractions?

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎06-14-2011 05:56 PM

You should be putting search-time configuration onto your search head. Look at http://www.splunk.com/base/Documentation/latest/Deploy/Whatisdistributedsearch under "What search heads send to search peers". When you do a distributed search, the search head will replicate its search-time configuration data to all of the search peer indexers.

Now, considering this is what you have done, I'm not sure what needs to be done to further diagnose why your extractions are not working as desired. You should probably check your various splunkd.log files for error messages related to bundle replication.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎06-14-2011 05:56 PM

You should be putting search-time configuration onto your search head. Look at http://www.splunk.com/base/Documentation/latest/Deploy/Whatisdistributedsearch under "What search heads send to search peers". When you do a distributed search, the search head will replicate its search-time configuration data to all of the search peer indexers.

Now, considering this is what you have done, I'm not sure what needs to be done to further diagnose why your extractions are not working as desired. You should probably check your various splunkd.log files for error messages related to bundle replication.

0 Karma
Reply
Solved! Jump to solution

builder
Path Finder
‎06-16-2011 10:44 AM

Just going to start a new thread as this one seems to have died. : P

0 Karma
Reply
Solved! Jump to solution

builder
Path Finder
‎06-15-2011 10:14 AM

Thanks! The field is showing up in search results now. I had an invalid character in my field name. I accidentally used - instead of _. Now I have a new problem. I can see the field and all valid values of the field with relative percentages. However, if I click on one of those values to search by it, I get 0 results/No matching events found. Given that it just showed me the count of all the events with that value, that doesn't seem right. Note that if I search by field="*", I get all results, but any specific value returns no results. Has anyone seen that before? Should I start a new thread?

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...