https://community.splunk.com/t5/Getting-Data-In/props-conf-not-recursing-all-directories/m-p/62274#M12436 <P>Are you trying to define an input with your [source...] statement? Because that's wrong.</P> <P>In a props.conf, the [source...] statement is meant only to define what group of events to apply the props to.</P> <P>You'd want to create an inputs.conf with something like this in it:</P> <PRE><CODE>[monitor:///HOSTS.../*.logfile] sourcetype = syslog </CODE></PRE> <P>And then, if your syslog is properly formatted, you won't even need a props.conf stanza for that.</P> Thu, 12 Sep 2013 19:17:49 GMT mloven_splunk 2013-09-12T19:17:49Z https://community.splunk.com/t5/Getting-Data-In/props-conf-not-recursing-all-directories/m-p/62273#M12435 <P>I'm trying to go down a line of directories to get the syslog files. The recursion works for year 2013. To make sure it works for other years copied 2013 files to 2012 and changed year in all in all files. When doing search with all time Splunk doesn't see 2012.</P> <P>props.conf <BR /> [source:: HOSTS.../*.logfile<BR /> sourcetype = syslog<BR /> TIME_FORMAT = %m %d %H:%M:%D</P> <P>Any assistance would be appreciated.</P> Thu, 12 Sep 2013 19:00:30 GMT https://community.splunk.com/t5/Getting-Data-In/props-conf-not-recursing-all-directories/m-p/62273#M12435 pljulien 2013-09-12T19:00:30Z https://community.splunk.com/t5/Getting-Data-In/props-conf-not-recursing-all-directories/m-p/62274#M12436 <P>Are you trying to define an input with your [source...] statement? Because that's wrong.</P> <P>In a props.conf, the [source...] statement is meant only to define what group of events to apply the props to.</P> <P>You'd want to create an inputs.conf with something like this in it:</P> <PRE><CODE>[monitor:///HOSTS.../*.logfile] sourcetype = syslog </CODE></PRE> <P>And then, if your syslog is properly formatted, you won't even need a props.conf stanza for that.</P> Thu, 12 Sep 2013 19:17:49 GMT https://community.splunk.com/t5/Getting-Data-In/props-conf-not-recursing-all-directories/m-p/62274#M12436 mloven_splunk 2013-09-12T19:17:49Z https://community.splunk.com/t5/Getting-Data-In/props-conf-not-recursing-all-directories/m-p/62275#M12437 <P>Data is in a file. In inputs.conf I have:</P> <P>[monitor:///opt/splunk/data/test/HOSTS/.../*.logfile]<BR /> index=test<BR /> sourcetype = syslog</P> <P>When I didn't have the props.conf my data was coming in as the date of file, so created a props.conf file, fat-fingered above. It is:</P> <P>[source:///opt/splunk/data/HOSTS/.../*.logfile]<BR /> sourcetype = syslog<BR /> TIME_FORMAT = %d %m %H:%M:%S</P> <P>The directory structure is - .../HOSTS/<IP address="">/year/month/day.logfile. The 2 files configured as noted, only getting data for 2013 and not 2012. Search set to all time. Any suggestions on changes to this would be appreciated.</IP></P> Thu, 12 Sep 2013 21:12:13 GMT https://community.splunk.com/t5/Getting-Data-In/props-conf-not-recursing-all-directories/m-p/62275#M12437 pljulien 2013-09-12T21:12:13Z https://community.splunk.com/t5/Getting-Data-In/props-conf-not-recursing-all-directories/m-p/62276#M12438 <P>Ok.</P> <P>Is your TIME_FORMAT correct? The standard TIME_FORMAT for the syslog sourcetype is:</P> <PRE><CODE>TIME_FORMAT = %b %d %H:%M:%S </CODE></PRE> <P>Which expects a month abbreviation (i.e. Jun, Nov, etc), then the day. Yours expects a timestamp like 12 09 16:27:00, which seems odd.</P> Mon, 28 Sep 2020 14:46:06 GMT https://community.splunk.com/t5/Getting-Data-In/props-conf-not-recursing-all-directories/m-p/62276#M12438 mloven_splunk 2020-09-28T14:46:06Z