https://community.splunk.com/t5/Getting-Data-In/What-props-conf-and-transforms-conf-settings-I-need-to-onboard/m-p/582549#M102626 <P>Hi</P><P>First You should test this with sample data on your local dev instance. This is the easiest way to integrate data source to splunk.&nbsp;</P><P>On your local instance start with</P><OL><LI>Settings -&gt; Add Data -&gt; Monitor/Upload</LI><LI>Select source file from your local disk</LI><LI>Configure the next parts<OL><LI>Event Breaks (Regex&nbsp;([\n\r]+)\s*&lt;Interceptor&gt;)</LI><LI>Timestamp: Advanced<OL><LI>Format: %Y-%m-%d&lt;/ActionDate&gt;\n\s*&lt;ActionTime&gt;%H:%M%S (check with your actual data)</LI><LI>Prefix: &lt;ActionDate&gt;</LI><LI>Lookahead: enough long to match Format</LI></OL></LI><LI>Advanced: If something is needed</LI></OL></LI></OL><P>When you are happy what you see on your preview, then "Save As" a new sourcetype. Also you can copy those with link "Copy to clipboard".</P><P>Then add that props.conf into the first full Splunk Enterprise instance on path from your source system to indexers. And remember restart that instance.</P><P>I prefer to create own TA for those config and then distribute that TA where it is needed.</P><P>r. Ismo</P> Wed, 26 Jan 2022 14:55:50 GMT isoutamo 2022-01-26T14:55:50Z https://community.splunk.com/t5/Getting-Data-In/What-props-conf-and-transforms-conf-settings-I-need-to-onboard/m-p/582523#M102624 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="trabz777_0-1643197346946.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/17678iD21BAF0D9141329E/image-size/medium?v=v2&amp;px=400" role="button" title="trabz777_0-1643197346946.png" alt="trabz777_0-1643197346946.png" /></span></P><P>This ^ is sample xml log file that I want to onboard. Please guide me about the settings which I should set in order to properly input this data. Also tell me on which instances the settings (props.conf and transforms.conf) are required. I am running a Distributed system with indexer clustering.&nbsp;</P> Wed, 26 Jan 2022 11:45:46 GMT https://community.splunk.com/t5/Getting-Data-In/What-props-conf-and-transforms-conf-settings-I-need-to-onboard/m-p/582523#M102624 trabz777 2022-01-26T11:45:46Z https://community.splunk.com/t5/Getting-Data-In/What-props-conf-and-transforms-conf-settings-I-need-to-onboard/m-p/582549#M102626 <P>Hi</P><P>First You should test this with sample data on your local dev instance. This is the easiest way to integrate data source to splunk.&nbsp;</P><P>On your local instance start with</P><OL><LI>Settings -&gt; Add Data -&gt; Monitor/Upload</LI><LI>Select source file from your local disk</LI><LI>Configure the next parts<OL><LI>Event Breaks (Regex&nbsp;([\n\r]+)\s*&lt;Interceptor&gt;)</LI><LI>Timestamp: Advanced<OL><LI>Format: %Y-%m-%d&lt;/ActionDate&gt;\n\s*&lt;ActionTime&gt;%H:%M%S (check with your actual data)</LI><LI>Prefix: &lt;ActionDate&gt;</LI><LI>Lookahead: enough long to match Format</LI></OL></LI><LI>Advanced: If something is needed</LI></OL></LI></OL><P>When you are happy what you see on your preview, then "Save As" a new sourcetype. Also you can copy those with link "Copy to clipboard".</P><P>Then add that props.conf into the first full Splunk Enterprise instance on path from your source system to indexers. And remember restart that instance.</P><P>I prefer to create own TA for those config and then distribute that TA where it is needed.</P><P>r. Ismo</P> Wed, 26 Jan 2022 14:55:50 GMT https://community.splunk.com/t5/Getting-Data-In/What-props-conf-and-transforms-conf-settings-I-need-to-onboard/m-p/582549#M102626 isoutamo 2022-01-26T14:55:50Z