I read the admin guide section on conf file precedence. It didn't see any info on the implications of a distributed setup. Scenario: search-head indexer-1 indexer-2 I am thinking of having a props file on the search head which references 2 different transforms. 1 of the transforms will be defined in the transforms file on the search head. The other transform will be located in etc/system/local on each of the indexers. Each indexer will have a slightly different version of the transform due to what they are processing. Will splunk span the confs between the replicated search head props/transforms and the local indexer version of the transforms conf? ... View more

Hi folks, I'm trying to add an indexed field to a distributed setup, but I can't seem to get it working. (I'm aware that indexed fields are not typically recommended) Here's the scenario: I have multiple indexers at different locations. I need to add a field to every message that is processed which includes the site where it came from. On my search head (which is distributing the confs to the indexers), I have the following: /opt/splunk/etc/system/local/props.conf: [syslog] TRANSFORMS-location = add_location /opt/splunk/etc/system/local/transforms.conf [add_location] SOURCE_KEY = location REGEX = (.*) FORMAT = location::$1 WRITE_META = true /opt/splunk/etc/system/local/fields.conf [location] INDEXED = true INDEXED_VALUE = false On the indexer I'm testing with, I have the following: /opt/splunk/etc/apps/search/local/inputs.conf [tcp://5514] connection_host = dns sourcetype = syslog no_priority_stripping = true no_appending_timestamp = true location = ny I found a similar question that I've used as a guide. Any ideas? Are there any logs/commands that I can use to see why the indexed field isn't getting added to the events? Thanks. ... View more

Hi Folks, I'd appreciate any advice on a good way to add site specific information to events. I have a distributed setup with multiple indexers per location, and multiple locations. The index names are the same across all of the indexers. For example, let's say I have a datacenter in ny and one in la. Each of these has 3 indexers. I want to be able to search across all of them as well as limit my search to just ny or just la. There is nothing in the data that denotes which location the event took place in. I also don't want to have to know the hostnames of the splunk indexers in order to perform the localized search. I was thinking of adding an indexed field in a similar fashion to this thread: http://answers.splunk.com/questions/1453/how-do-i-add-metadata-to-events-coming-from-a-splunk-forwarder Are there any other alternatives? Thanks. ... View more

I have a syslog box forwarding to splunk for indexing. I have the input type setup as syslog. Unfortunately, it doesn't appear that splunk automatically decodes the syslog facility/priority integer. I would like to either add this meta data to each message (preferred) or change the incoming message (less preferred) before splunk indexes it. I found a script over at splunkbase which appears to have the logic for the decoding portion, however it looks like this script can only be used during searches. I would prefer not to go the route of performing the decoding during searching as it seems like it would add quite a bit of overhead compared to having it already indexed with the facility/priority. Thanks in advance for any advice. ... View more