<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: UF and Indexers, problem with props.conf in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/UF-and-Indexers-problem-with-props-conf/m-p/57585#M11255</link>
    <description>&lt;P&gt;See further updates above. /k&lt;/P&gt;</description>
    <pubDate>Wed, 25 Jan 2012 14:14:05 GMT</pubDate>
    <dc:creator>kristian_kolb</dc:creator>
    <dc:date>2012-01-25T14:14:05Z</dc:date>
    <item>
      <title>UF and Indexers, problem with props.conf</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/UF-and-Indexers-problem-with-props-conf/m-p/57580#M11250</link>
      <description>&lt;P&gt;We are converting from a single Splunk instantance to a cluster.  At this time we are also implementing Universal Forwarders on several of our application servers.&lt;/P&gt;

&lt;P&gt;I have several props.conf and transforms.conf rules written for the old system that I would like to implement on the new system.  So far I have been unable to get the rules to activate.&lt;/P&gt;

&lt;P&gt;1) I am able to select the index in which I want the logs to go to, but this has only been successful by defining them on the UF.  I have tried several different configuration for inputs.conf in my app on the splunk indexers, but to know avail.&lt;/P&gt;

&lt;P&gt;2) Also I would like to push files from the distrubtion server to the UFs.  I have been able get the files over by including the host as part of the distrubtion class, but I have been unable to craft an inputs.conf and outputs.conf file that will work both on the UFs and the Indexers.&lt;/P&gt;

&lt;P&gt;Anyone have some suggestions?&lt;/P&gt;</description>
      <pubDate>Wed, 25 Jan 2012 12:09:57 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/UF-and-Indexers-problem-with-props-conf/m-p/57580#M11250</guid>
      <dc:creator>fk319</dc:creator>
      <dc:date>2012-01-25T12:09:57Z</dc:date>
    </item>
    <item>
      <title>Re: UF and Indexers, problem with props.conf</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/UF-and-Indexers-problem-with-props-conf/m-p/57581#M11251</link>
      <description>&lt;P&gt;1) If you are using UF, the input phase takes place on the forwarder, and the parsing and indexing phases take place on the indexer. This means that input-related configuration needs to be done on the forwarder. i.e. &lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[monitor:///var/log/my_app]
index = blah
sourcetype = app_log
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;The &lt;CODE&gt;inputs.conf&lt;/CODE&gt; on the indexer will most likely only need a TCP listener. &lt;/P&gt;

&lt;P&gt;2) as mentioned in 1) you will need different &lt;CODE&gt;inputs.conf&lt;/CODE&gt; files on forwarders/indexers. The &lt;CODE&gt;outputs.conf&lt;/CODE&gt; file on the forwarders does not need to be complicated. Do you need an &lt;CODE&gt;outputs.conf&lt;/CODE&gt; on the indexers. Where would they forward their data? If you are setting up load balanced forwarding between the indexers in your cluster, something like this would most likely work in the &lt;CODE&gt;outputs.conf&lt;/CODE&gt; on your forwarders.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[tcpout]
defaultGroup = lb

[tcpout:lb]
server = 1.2.3.4:4433, 1.2.3.5:4433
autoLB = true
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;HR /&gt;

&lt;P&gt;UPDATE: If the indexing and searching function is divided between separate hosts (dedicated Indexers(s) and SearchHead(s)) they will need different &lt;CODE&gt;props.conf&lt;/CODE&gt; parameters. Line breaking, time formats etc that are set at index time will need to go to the indexers' &lt;CODE&gt;props.conf&lt;/CODE&gt;, and other configurations such field extractions, tags, eventtypes etc will need to be in the SearchHeads' &lt;CODE&gt;props.conf&lt;/CODE&gt;&lt;/P&gt;

&lt;HR /&gt;

&lt;P&gt;UPDATE 2: Yes, they will most certainly use different stanzas. For inputs this is especially true. You would not want to open up a tcp port listening for log traffic (default 9997) on all your forwarders. Conversely, you would not want to monitor &lt;CODE&gt;c:\logs\IIS&lt;/CODE&gt; on your Linux-based Indexer. &lt;/P&gt;

&lt;P&gt;Thus you need two 'applications' (each app really being just an inputs.conf file) and two (minimum) serverclasses (indexer and forwarder). &lt;/P&gt;

&lt;P&gt;Indexers get the &lt;CODE&gt;inputs.conf&lt;/CODE&gt; file telling it to listen to port 9997, and forwarders get a different &lt;CODE&gt;inputs.conf&lt;/CODE&gt; file telling it to monitor some directory or file.&lt;/P&gt;

&lt;P&gt;Regarding &lt;CODE&gt;props.conf&lt;/CODE&gt; files, you can in most cases (I believe) just have the same file pushed out everywhere, as the server role (UF, HF, LWF, indexer, search head) will cause it to only read/use/understand the parts appropriate for the role. &lt;/P&gt;

&lt;P&gt;For more information, see:&lt;/P&gt;

&lt;P&gt;&lt;A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf"&gt;http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;&lt;A href="http://docs.splunk.com/Documentation/Splunk/4.3/Admin/Configurationparametersandthedatapipeline"&gt;http://docs.splunk.com/Documentation/Splunk/4.3/Admin/Configurationparametersandthedatapipeline&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;&lt;A href="http://docs.splunk.com/Documentation/Splunk/4.3/Deploy/Datapipeline"&gt;http://docs.splunk.com/Documentation/Splunk/4.3/Deploy/Datapipeline&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;Hope this helps,&lt;/P&gt;

&lt;P&gt;Kristian&lt;/P&gt;</description>
      <pubDate>Wed, 25 Jan 2012 13:01:30 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/UF-and-Indexers-problem-with-props-conf/m-p/57581#M11251</guid>
      <dc:creator>kristian_kolb</dc:creator>
      <dc:date>2012-01-25T13:01:30Z</dc:date>
    </item>
    <item>
      <title>Re: UF and Indexers, problem with props.conf</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/UF-and-Indexers-problem-with-props-conf/m-p/57582#M11252</link>
      <description>&lt;P&gt;I have the UF sending the data, I just cant seem to get my props.conf on my indexer to be applied.&lt;/P&gt;

&lt;P&gt;From your second link, I think I should be looking at the search head and not the indexer.  (I am using Transforms and Reports).&lt;/P&gt;

&lt;P&gt;Let me chew on this for a few hours, thank you Kristian.&lt;/P&gt;</description>
      <pubDate>Wed, 25 Jan 2012 13:09:11 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/UF-and-Indexers-problem-with-props-conf/m-p/57582#M11252</guid>
      <dc:creator>fk319</dc:creator>
      <dc:date>2012-01-25T13:09:11Z</dc:date>
    </item>
    <item>
      <title>Re: UF and Indexers, problem with props.conf</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/UF-and-Indexers-problem-with-props-conf/m-p/57583#M11253</link>
      <description>&lt;P&gt;updated my answer for clarity /k&lt;/P&gt;</description>
      <pubDate>Wed, 25 Jan 2012 13:52:56 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/UF-and-Indexers-problem-with-props-conf/m-p/57583#M11253</guid>
      <dc:creator>kristian_kolb</dc:creator>
      <dc:date>2012-01-25T13:52:56Z</dc:date>
    </item>
    <item>
      <title>Re: UF and Indexers, problem with props.conf</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/UF-and-Indexers-problem-with-props-conf/m-p/57584#M11254</link>
      <description>&lt;P&gt;Kristian,&lt;BR /&gt;
I think 'different' is the wrong word.  From what I have read they use different stanzas and can thus be placed in the same field.&lt;BR /&gt;
From what I have found so far, my apps/.../props.conf has not made it to my Search Heads.&lt;/P&gt;</description>
      <pubDate>Wed, 25 Jan 2012 14:01:46 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/UF-and-Indexers-problem-with-props-conf/m-p/57584#M11254</guid>
      <dc:creator>fk319</dc:creator>
      <dc:date>2012-01-25T14:01:46Z</dc:date>
    </item>
    <item>
      <title>Re: UF and Indexers, problem with props.conf</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/UF-and-Indexers-problem-with-props-conf/m-p/57585#M11255</link>
      <description>&lt;P&gt;See further updates above. /k&lt;/P&gt;</description>
      <pubDate>Wed, 25 Jan 2012 14:14:05 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/UF-and-Indexers-problem-with-props-conf/m-p/57585#M11255</guid>
      <dc:creator>kristian_kolb</dc:creator>
      <dc:date>2012-01-25T14:14:05Z</dc:date>
    </item>
  </channel>
</rss>

