https://community.splunk.com/t5/Getting-Data-In/Why-props-conf-configurations-not-taking-effect/m-p/150308#M30552 <P>Check the sourcetype configuration section in <A href="http://docs.splunk.com/Documentation/Splunk/6.1.2/Admin/Propsconf">http://docs.splunk.com/Documentation/Splunk/6.1.2/Admin/Propsconf</A></P> Mon, 21 Jul 2014 10:40:30 GMT strive 2014-07-21T10:40:30Z https://community.splunk.com/t5/Getting-Data-In/Why-props-conf-configurations-not-taking-effect/m-p/150303#M30547 <P>Hi,</P> <P>I am receiving syslog data from various type of devices, but all are on udp:514. I need to overwrite the sourcetype based on Host IP address. Following are the configurations I did, but this is not taking effective. My search result shows sourcetype as [syslog] only. <BR /> Can you please help me where I am doing the mistake.</P> <PRE><CODE>Configurations made in $SPLUNK_HOME/etc/system/local directory inputs.conf [udp://514] connection_host = ip source = udp_514 sourcetype = syslog props.conf [host::10\.0\.6\.23] sourcetype = websense [host::10\.0\.6\.113] sourcetype = cisco:ios </CODE></PRE> Mon, 21 Jul 2014 07:01:35 GMT https://community.splunk.com/t5/Getting-Data-In/Why-props-conf-configurations-not-taking-effect/m-p/150303#M30547 ankireddy007 2014-07-21T07:01:35Z https://community.splunk.com/t5/Getting-Data-In/Why-props-conf-configurations-not-taking-effect/m-p/150304#M30548 <P>Where do you have your props.conf? Is it on forwarder or indexer? what type of forwarder are you using? In your search results are you seeing different IP addresses as hosts?</P> Mon, 21 Jul 2014 07:51:22 GMT https://community.splunk.com/t5/Getting-Data-In/Why-props-conf-configurations-not-taking-effect/m-p/150304#M30548 strive 2014-07-21T07:51:22Z https://community.splunk.com/t5/Getting-Data-In/Why-props-conf-configurations-not-taking-effect/m-p/150305#M30549 <P>HI Strive,</P> <P>Here no forwarders in this deployment, as all syslog devices sending data on udp:514. I have splunk indexer acting as syslog server to receive on udp:514. <BR /> All configurations made in Splunk INDEXER. (system/local directory)<BR /> Yes I am seeing different hosts (IPs) on search </P> <P>Thansk, Anki</P> Mon, 21 Jul 2014 07:56:35 GMT https://community.splunk.com/t5/Getting-Data-In/Why-props-conf-configurations-not-taking-effect/m-p/150305#M30549 ankireddy007 2014-07-21T07:56:35Z https://community.splunk.com/t5/Getting-Data-In/Why-props-conf-configurations-not-taking-effect/m-p/150306#M30550 <P>This link will help you</P> <P><A href="http://">http://answers.splunk.com/answers/3687/host-stanza-in-propsconf-not-being-honored-for-udp514-data-sources</A></P> <P>You set the sourcetype in transforms.conf and then use that in props.conf file</P> Mon, 21 Jul 2014 07:59:15 GMT https://community.splunk.com/t5/Getting-Data-In/Why-props-conf-configurations-not-taking-effect/m-p/150306#M30550 strive 2014-07-21T07:59:15Z https://community.splunk.com/t5/Getting-Data-In/Why-props-conf-configurations-not-taking-effect/m-p/150307#M30551 <P>Thaks Strive, Its working.<BR /> But any idea why settings in props.conf alone (without transforms.conf) not working.</P> Mon, 21 Jul 2014 09:18:42 GMT https://community.splunk.com/t5/Getting-Data-In/Why-props-conf-configurations-not-taking-effect/m-p/150307#M30551 ankireddy007 2014-07-21T09:18:42Z https://community.splunk.com/t5/Getting-Data-In/Why-props-conf-configurations-not-taking-effect/m-p/150308#M30552 <P>Check the sourcetype configuration section in <A href="http://docs.splunk.com/Documentation/Splunk/6.1.2/Admin/Propsconf">http://docs.splunk.com/Documentation/Splunk/6.1.2/Admin/Propsconf</A></P> Mon, 21 Jul 2014 10:40:30 GMT https://community.splunk.com/t5/Getting-Data-In/Why-props-conf-configurations-not-taking-effect/m-p/150308#M30552 strive 2014-07-21T10:40:30Z