Configuration parameters and the data pipeline
Data goes through several phases as it transitions from raw input to searchable events. This process is called the data pipeline and consists of four phases:
Each phase of the data pipeline relies on different configuration file parameters. Knowing which phase uses a particular parameter allows you to identify where in your Splunk deployment topology you need to set the parameter.
What the data pipeline looks like
This diagram outlines the data pipeline:
The Distributed Deployment manual describes the data pipeline in detail, in "How data moves through Splunk: the data pipeline".
How Splunk Enterprise components correlate to phases of the pipeline
One or more Splunk Enterprise components can perform each of the pipeline phases. For example, a universal forwarder, a heavy forwarder, or an indexer can perform the input phase.
Data only goes through each phase once, so each configuration belongs on only one component, specifically, the first component in the deployment that handles that phase. For example, say you have data entering the system through a set of universal forwarders, which forward the data to an intermediate heavy forwarder, which then forwards the data onwards to an indexer. In that case, the input phase for that data occurs on the universal forwarders, and the parsing phase occurs on the heavy forwarder.
Data pipeline phase | Components that can perform this role |
---|---|
Input | indexer universal forwarder heavy forwarder |
Parsing | indexer heavy forwarder light/universal forwarder (in conjunction with the INDEXED_EXTRACTIONS attribute only)
|
Indexing | indexer |
Search | indexer search head |
Where to set a configuration parameter depends on the components in your specific deployment. For example, you set parsing parameters on the indexers in most cases. But if you have heavy forwarders feeding data to the indexers, you instead set parsing parameters on the heavy forwarders. Similarly, you set search parameters on the search heads, if any. But if you aren't deploying dedicated search heads, you set the search parameters on the indexers.
For more information, see "Components and the data pipeline" in the Distributed Deployment Manual.
How configuration parameters correlate to phases of the pipeline
This is a non-exhaustive list of configuration parameters and the pipeline phases that use them. By combining this information with an understanding of which Splunk component in your particular deployment performs each phase, you can determine where to configure each setting.
For example, if you are using universal forwarders to consume inputs, you need to configure inputs.conf
parameters on the forwarders. If, however, your indexer is directly consuming network inputs, you need to configure those network-related inputs.conf
parameters on the indexer.
The following items in the phases below are listed in the order Splunk applies them (ie LINE_BREAKER
occurs before TRUNCATE
).
Input phase
- inputs.conf
- props.conf
CHARSET
NO_BINARY_CHECK
CHECK_METHOD
CHECK_FOR_HEADER
(deprecated)PREFIX_SOURCETYPE
- sourcetype
- wmi.conf
- regmon-filters.conf
Structured parsing phase
- props.conf
INDEXED_EXTRACTIONS
, and all other structured data header extractions
Parsing phase
- props.conf
LINE_BREAKER
,TRUNCATE
,SHOULD_LINEMERGE
,BREAK_ONLY_BEFORE_DATE
, and all other line merging settingsTIME_PREFIX
,TIME_FORMAT
,DATETIME_CONFIG
(datetime.xml),TZ
, and all other time extraction settings and rulesTRANSFORMS
which includes per-event queue filtering, per-event index assignment, per-event routingSEDCMD
MORE_THAN
,LESS_THAN
- transforms.conf
- stanzas referenced by a
TRANSFORMS
clause in props.conf LOOKAHEAD
,DEST_KEY
,WRITE_META
,DEFAULT_VALUE
,REPEAT_MATCH
- stanzas referenced by a
Indexing phase
- props.conf
SEGMENTATION
- indexes.conf
- segmenters.conf
Search phase
- props.conf
EXTRACT
REPORT
LOOKUP
KV_MODE
FIELDALIAS
EVAL
rename
- transforms.conf
- stanzas referenced by a
REPORT
clause in props.conf filename
,external_cmd
, and all other lookup-related settingsFIELDS
,DELIMS
MV_ADD
- stanzas referenced by a
- lookup files in the lookups folders
- search and lookup scripts in the bin folders
- search commands and lookup scripts
- savedsearches.conf
- eventtypes.conf
- tags.conf
- commands.conf
- alert_actions.conf
- macros.conf
- fields.conf
- transactiontypes.conf
- multikv.conf
Other configuration settings
There are some settings that don't work well in a distributed Splunk environment. These tend to be exceptional and include:
- props.conf
CHECK_FOR_HEADER
(deprecated),LEARN_MODEL
,maxDist
. These are created in the parsing phase, but they require generated configurations to be moved to the search phase configuration location.
List of configuration files | Back up configuration information |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2, 9.3.0
Feedback submitted, thanks!