- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Where to perform field extraction in Splunk cluste...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where to perform field extraction in Splunk cluster
Hi, I am new to Splunk. I have built a splunk cluster (3 indexers, 1 master(also the license master), 1 search head).
I have deployed universal forwarders to all the servers using ansible and I am getting the data that I require. However I am not sure where do I now extract fields - in the indexers or search head?
Please advice...
Thanks,
Nelton
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The usual consultant's answer - "it depends".
The most often used field extraction - the search-time extractions are defined on the search-head tier because... tada! they happen during search time 🙂 (actually their definitions are replicated internally to indexers so that searches can run properly but these are internal intricacies you don't have to concern yourself with at this point ;-)).
But if you want to create so-called "indexed fields" (which isn't often done but the possibility is there), you have to define them in ingest-time which means either on indexers or on any other "heavy" component your events go through first.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @neltonk ,
field extractions at search time must always be configured on Search Heads (both clustered or not clustered), infact you should install on the SHs all the add-ons that you need.
If you have index time extractions, you must add them on Indexers (using The Cluster Manager) or, if present on Heavy Forwarders.
But usually field extractions are done at search time, so on SHs.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's easier to add extractions on SHC so you can modify them if you need. On indexers they will be fixed once indexed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Field extractions are configured on the Search Head, since they happen at search time.
Unless you have any specific need to perform index time extractions (e.g. to override the host / sourcetype). Those would have to be set on the indexers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot for your quick response... if I have to override the host field, do I have to do the field extraction on each indexer? Please let me know.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Best is to create a small app, that contains the relevant props.conf and transforms.conf and push that to all indexers in the cluster from the cluster master.
http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Updatepeerconfigurations
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And when done on indexer, will I be using the splunk web to do this or should this be done using props.conf.
Thanks,Nelton
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
