V1.1
Many Solutions, One Goal.
Where do my Splunk®
props.conf settings belong? props.conf
Extracting
Fields
Data
Data
Filtering Changing
Line Breaking Time Stamping Routing
meta fields
Are you using
YES
TRANSFORMS-*?
Does the sourcetype use
YES NO
INDEXED_EXTRACTIONS?
Forwarder
NO
Are you using Are you using
JSON? REPORT-*,
EXTRACT-* or
KV_MODE?
Is the data being ingested
YES
on a Heavy Forwarder?
YES
Heavy
NO Forwarder
YES
YES
Make sure you set
Will the data pass through a KV_MODE = none for
Heavy Forwarder? the sourcetype on the
search head
NO
Is the data being ingested
YES
on a Search Head?
Search
Head
NO
Indexer Splunk is a registered trademark of Splunk, Inc.
Provided by Aplura, LLC. Splunk Consulting This work is licensed under the Creative Commons
and Application Development Services. sales@aplura.com https://www.aplura.com Attribution-ShareAlike 4.0 International License.