In the diagrammed environment shown below, the customer would like the data read by the universal forwarders to set an indexed field containing the UF's host name. Where would the parsing configurations need to be installed for this to work?
In the diagrammed environment shown below, the customer would like the data read by the universal forwarders to set an indexed field containing the UF's host name. Where would the parsing configurations need to be installed for this to work?
In Splunk environments, parsing and indexing configurations need to be handled carefully to ensure that the data is properly processed and indexed. The requirement is to set an indexed field containing the Universal Forwarder's host name. For this, parsing needs to occur both at the point where data is initially received and where it is indexed. Parsing in Splunk involves components such as props.conf and transforms.conf, which need to be placed on instances performing parsing tasks. In this environment, parsing instances include both the heavy forwarders and the indexers. Therefore, to ensure that the Universal Forwarder's host name is indexed correctly, the parsing configurations need to be installed on all parsing Splunk instances, which includes heavy forwarders and indexers. This makes option D the correct choice.
D, in IF and IDX
D, the props and transforms will go on the HF if there is one(which in this case there is) and then the IDXs will need a fields.conf. https://docs.splunk.com/Documentation/Splunk/9.0.2/Data/Configureindex-timefieldextraction
the key here is "parsing" instances. the hosts sending directly requires parsing on the indexer peers and the hosts sending to the HFs require parsing on the HF instances. so all parsing instances is the right answer