topic Re: props.conf not applying in Splunk Enterprise

props.conf not applying

irwinj_125 — Thu, 28 Jan 2021 21:59:21 GMT

Hello,

I have a log file with dates occurring inside the lines (not just at the beginning of the line). Splunk is creating a separate event each time the date/timestamp is encountered, not just at the beginning of the line. I've done a lot of research on these forums and have tried playing extensively with props.conf inside my etc/system/local directory (which I believe is highest priority). I've tried using "LINE_BREAKER" with a regular expression (date/time stamp at the beginning of the line) and "SHOULD_LINEMERGE" set to false, have also tried "BREAK_ONLY_BEFORE", "TIME_PREFIX", "TIME_FORMAT", etc. Anytime I've made these changes and re-started Splunk, I am able to see them when I use the btool command to check for props settings, so they do seem to be picking up. However, in my GUI, my log files continue to break at any date/timestamp encountered.

Perhaps there is something else wrong with my settings. Here's what my input.conf looks like and one thing I've tried for props.conf in the same folder.

input.conf entry:
[monitor:///path_to_log/log_file_name*.log]
disabled = 0
sourcetype = log_file_name

props.conf entry (just one of many settings I've tried):
[log_file_name]
BREAK_ONLY_BEFORE_DATE = false
BREAK_ONLY_BEFORE = ^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}
sourcetype = log_file_name

Any suggestions would be appreciated.

Re: props.conf not applying

ekenne06 — Thu, 28 Jan 2021 23:12:36 GMT

i'm having this same exact issue. Here is my post:

https://community.splunk.com/t5/Getting-Data-In/XML-Data-Line-Breaking-on-DateTime-tag/m-p/537715#M90110

Given a suggestion to set the TIM_PREFIX = ^ That should only search for the timestamp at the beginning of the data. However this isn't working for me. Can you give it a go and let me know how it works?

Re: props.conf not applying

ekenne06 — Thu, 28 Jan 2021 23:13:17 GMT

Sorry, TIME_PREFIX = ^

Re: props.conf not applying

irwinj_125 — Thu, 28 Jan 2021 23:51:11 GMT

Yep I tried that one as well...seemed to make sense but no luck. I've thinking I have some other configuration issue at play.

Re: props.conf not applying

ekenne06 — Fri, 29 Jan 2021 00:16:07 GMT

Here is something else I found, just haven't been able to test it yet. https://community.splunk.com/t5/Getting-Data-In/Timestamp-and-line-not-properly-break/m-p/262342

will let you know if it helps at all

Re: props.conf not applying

richgalloway — Fri, 29 Jan 2021 00:37:18 GMT

A couple of thing to note since they're not mentioned in the question.

Changes to config files don't take effect until Splunk restarts.
Changes to props.conf only affect NEW data. Events already indexed never change.

Re: props.conf not applying

irwinj_125 — Fri, 29 Jan 2021 15:57:03 GMT

Thanks.

Yes, I 've restarted the splunk forwarder each time I've made changes.

To test, I create a new log file in the log directory containing the required data. I see the new data in the GUI, but not with the expected breaks.

Re: props.conf not applying

richgalloway — Fri, 29 Jan 2021 17:44:27 GMT

To apply props.conf changes, it's the indexer that must be restarted rather than the universal forwarder.

If you use a heavy forwarder then the props.conf changes go there as well (and the HF must be restarted).

Re: props.conf not applying

irwinj_125 — Fri, 29 Jan 2021 19:38:10 GMT

Thanks, that is good to know. I can stop/start the forwarder at anytime, but probably not the indexer as its heavily in use.

Finally found a solution based on the feedback here: https://community.splunk.com/t5/Getting-Data-In/Universal-Forwarder-and-props-conf-and-transforms-conf/m-p/39727

Once I added force_local_processing = true into my local props.conf, the data appears as I expect it.

One thing I didn't fully understand in the above is this quote: "Note that if the Universal Forwarder does the indexing, the Splunk instances won't: all of the index-time work must be done on the Universal Forwarder." Does this basically mean that any further indexing laid out on the indexer itself will not take place for this specific sourcetype?

Splunk documentation also says regarding this:

Note that switching this property potentially increases the cpu
  and memory consumption of the forwarder.

Not sure how concerned I should be about this.

Thanks Rich for your guidance.

Re: props.conf not applying

richgalloway — Fri, 29 Jan 2021 20:45:22 GMT

Good find, but I would consider that a temporary fix. Restart the indexer in the next maintenance window and then turn off that flag in the UF.

You read it correctly, the UF is now doing the work of the indexer (except for the write-to-disk part). It's causing the UF to use more CPU, memory, and network bandwidth.

Re: props.conf not applying

irwinj_125 — Fri, 29 Jan 2021 21:15:58 GMT

Thanks Rich,

I'll arrange that.

Just to confirm - the props.conf stays located on the forwarder server, just the way it is (minus the "force_local_processing" flag). Once I re-start the indexer, the changes in the props.conf on the forwarder server will take effect, correct?

Re: props.conf not applying

ekenne06 — Sat, 30 Jan 2021 00:01:09 GMT

I finally got mine to work. It was actually due to me not linebreaking properly on the right sourcetype. I would try testing your props.conf by making a LINE_BREAKER to something super simple, so if it works, you know it's just your config. If it doesn't work that means the sourcetype isn't being recognized. Once I found the right sourcetype I did:

LINE_BREAKER = ([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2} TIME_PREFIX = ^ LINE_MERGE = FALSE

Since my timestamp is the start of every event, that was the best think to line break on.

Re: props.conf not applying

ekenne06 — Sat, 30 Jan 2021 00:01:54 GMT

should be LINEMERGE, not LINE_MERGE

Re: props.conf not applying

irwinj_125 — Sat, 30 Jan 2021 00:31:08 GMT

Excellent!

I finally got mine working too (details below). Good to go into the weekend with problems solved.

Re: props.conf not applying

irwinj_125 — Sat, 30 Jan 2021 14:51:43 GMT

Hi @richgalloway

Would you be able to guide me on the above question? Just want to be sure. With the force local processing flag set to true, and the inputs.conf and props.conf in the etc/system/local directory on the UF, things work as expected. If I turn off the force local processing flag and re-cycle the indexer, should the other settings in the props.conf (located on the UF) come into play? Or would I need to create the props.conf in the etc/system/local directory on the indexer server (rather than UF)?

Normally I would just experiment and see, but as mentioned its not as easy for me to re-start the indexer as it is to re-start the UF.

Re: props.conf not applying

irwinj_125 — Mon, 01 Feb 2021 01:25:16 GMT

hi @richgalloway ,

I was able to figure this out as I was able to re-cycle the indexer (enterprise) today. Initially it did not work, having the props.conf just on the UF side. I then copied the props.conf into /etc/system/local on the Indexer and re-cycled, after this it worked as expected.

Thanks for all your guidance on this.