Splunk Search

which props.conf do i modify for search-time field extraction?

Path Finder

I am new to splunk so forgive my ignorance. My set up is that I have splunk forwarders sending data to two load balanced indexers. I then have a search head that uses the indexers as search peers. I am reading documentation about setting up search-time field extraction in props.conf. I have been playing around with it and it's not behaving as expected. However, I just realized, I'm not sure if I am supposed to be modifying props.conf on my search head or on my indexers. I was doing it on my search head with no success, but then it occurred to me that since the search head uses the indexers as search peers, maybe it should be done there? Can anyone confirm the correct place to put the field extractions?

Thanks!

0 Karma
1 Solution

SplunkTrust
SplunkTrust

You should be putting search-time configuration onto your search head. Look at http://www.splunk.com/base/Documentation/latest/Deploy/Whatisdistributedsearch under "What search heads send to search peers". When you do a distributed search, the search head will replicate its search-time configuration data to all of the search peer indexers.

Now, considering this is what you have done, I'm not sure what needs to be done to further diagnose why your extractions are not working as desired. You should probably check your various splunkd.log files for error messages related to bundle replication.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

You should be putting search-time configuration onto your search head. Look at http://www.splunk.com/base/Documentation/latest/Deploy/Whatisdistributedsearch under "What search heads send to search peers". When you do a distributed search, the search head will replicate its search-time configuration data to all of the search peer indexers.

Now, considering this is what you have done, I'm not sure what needs to be done to further diagnose why your extractions are not working as desired. You should probably check your various splunkd.log files for error messages related to bundle replication.

View solution in original post

0 Karma

Path Finder

Just going to start a new thread as this one seems to have died. : P

0 Karma

Path Finder

Thanks! The field is showing up in search results now. I had an invalid character in my field name. I accidentally used - instead of _. Now I have a new problem. I can see the field and all valid values of the field with relative percentages. However, if I click on one of those values to search by it, I get 0 results/No matching events found. Given that it just showed me the count of all the events with that value, that doesn't seem right. Note that if I search by field="*", I get all results, but any specific value returns no results. Has anyone seen that before? Should I start a new thread?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!