index-time extractions

Hi,

I am trying to configure some index-time field extractions on a SplunkForwarder, so that I can tag all events from the Forwarder with a couple of additional fields.

It is impractical to try to do this at search-time.

I have tried adding the following files to the forwarder, in an attempt to follow the documentation:

• /opt/splunk/etc/system/local/props.conf

[default]

TRANSFORMS-role = xxx-role

TRANSFORMS-environment = xxx-environment

• /opt/splunk/etc/system/local/transforms.conf

[xxx-environment]

DEFAULT_VALUE = common

FORMAT = environment::"common"

WRITE_META = true

[xxx-role]

DEFAULT_VALUE = client

FORMAT = role::"client"

WRITE_META = true

• /opt/splunk/etc/system/local/fields.conf

[role]

INDEXED=true

INDEXED_VALUE=false

[environment]

INDEXED=true

INDEXED_VALUE=false

N.B. The config files look "normal" however I can't manage to format the question.

The only change made to the indexing server has been to add the same fields.conf file.

Having restarted both the forwarder and indexer, I am still unable to search on either "role" or "environment".

(I am trying to search with environment="common" for example.)

Any advice/solution would be greatly appreciated.

Thanks,

mgh