https://community.splunk.com/t5/Getting-Data-In/Cleaning-up-props-conf-OR-not-working-for-multiple-sources/m-p/24425#M3854 <P>Give this notation a try:</P> <P><CODE>[source::(udp:32001)|(udp:32002)|(udp:32006)]</CODE></P> <P>Also, to troubleshoot further and to see where and what parameters are set for each source use <CODE>btool</CODE> :</P> <P><CODE>splunk cmd btool props list [stanza_name]</CODE> </P> <P>or, for even more verbosity:</P> <P><CODE>splunk cmd btool --debug props list [stanza_name]</CODE> </P> <P>Hope this helps.</P> <P><CODE>&gt; please upvote and accept answer if you find it useful - thanks!</CODE></P> Tue, 29 Nov 2011 21:31:46 GMT _d_ 2011-11-29T21:31:46Z https://community.splunk.com/t5/Getting-Data-In/Cleaning-up-props-conf-OR-not-working-for-multiple-sources/m-p/24424#M3853 <P>I have the following in props.conf<BR /> <PRE><CODE><BR /> [source::udp:32001]<BR /> TZ = UTC<BR /> TIME_FORMAT = %b %d %H:%M:%S<BR /> MAX_TIMESTAMP_LOOKAHEAD = 32<BR /> BREAK_ONLY_BEFORE_DATE = True<BR /> SHOULD_LINEMERGE = False</CODE></PRE></P> <P>[source::udp:32002]<BR /> TZ = UTC<BR /> TIME_FORMAT = %b %d %H:%M:%S<BR /> MAX_TIMESTAMP_LOOKAHEAD = 32<BR /> BREAK_ONLY_BEFORE_DATE = True<BR /> SHOULD_LINEMERGE = False</P> <P>[source::udp:32006]<BR /> TIME_FORMAT = %b %d %H:%M:%S<BR /> MAX_TIMESTAMP_LOOKAHEAD = 32<BR /> BREAK_ONLY_BEFORE_DATE = True<BR /> SHOULD_LINEMERGE = False<BR /> </P> <P>From what I've read, it seems this should work to "simplify" my props.conf, but when I actually implement this it doesn't work:</P> <PRE><CODE>[source::udp:32001|udp:32002|udp:32006] TIME_FORMAT = %b %d %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD = 32 BREAK_ONLY_BEFORE_DATE = True SHOULD_LINEMERGE = False [source::udp:32001|udp:32002] TZ = UTC </CODE></PRE> <P>With source-specific entries, time settings are correctly interpreted. When I attempt to configure a single stanza with multiple sources using |, it fails (most notably, the log data from udp:32001/2 are shifted 5 hours in the future).</P> <P>Is this not supported? Or am I just doing it wrong? <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 28 Sep 2020 10:09:47 GMT https://community.splunk.com/t5/Getting-Data-In/Cleaning-up-props-conf-OR-not-working-for-multiple-sources/m-p/24424#M3853 jeff 2020-09-28T10:09:47Z https://community.splunk.com/t5/Getting-Data-In/Cleaning-up-props-conf-OR-not-working-for-multiple-sources/m-p/24425#M3854 <P>Give this notation a try:</P> <P><CODE>[source::(udp:32001)|(udp:32002)|(udp:32006)]</CODE></P> <P>Also, to troubleshoot further and to see where and what parameters are set for each source use <CODE>btool</CODE> :</P> <P><CODE>splunk cmd btool props list [stanza_name]</CODE> </P> <P>or, for even more verbosity:</P> <P><CODE>splunk cmd btool --debug props list [stanza_name]</CODE> </P> <P>Hope this helps.</P> <P><CODE>&gt; please upvote and accept answer if you find it useful - thanks!</CODE></P> Tue, 29 Nov 2011 21:31:46 GMT https://community.splunk.com/t5/Getting-Data-In/Cleaning-up-props-conf-OR-not-working-for-multiple-sources/m-p/24425#M3854 _d_ 2011-11-29T21:31:46Z https://community.splunk.com/t5/Getting-Data-In/Cleaning-up-props-conf-OR-not-working-for-multiple-sources/m-p/24426#M3855 <P>Nope - fraid not. Simple test:</P> <P>[source::(udp:32001)|(udp:32002)|(udp:32006)]<BR /> FIELDALIAS-user2 = User_Name as user2</P> <P>[source::udp:32001]<BR /> FIELDALIAS-user = User_Name as user<BR /> FIELDALIAS-user3 = User_Name as user3</P> <P>"user" and "user3" get picked up, "user2" does not. btool picks up the settings and reports the stanza as written in props.conf, so...</P> <P>Think I'm just going to report a bug and move on.</P> Mon, 28 Sep 2020 10:12:24 GMT https://community.splunk.com/t5/Getting-Data-In/Cleaning-up-props-conf-OR-not-working-for-multiple-sources/m-p/24426#M3855 jeff 2020-09-28T10:12:24Z https://community.splunk.com/t5/Getting-Data-In/Cleaning-up-props-conf-OR-not-working-for-multiple-sources/m-p/24427#M3856 <P>Also, if you want to see a complete view of your Splunk install, install the Splunk on Splunk (SoS) app with SideView Utils. You can see everything about your Splunk environment in one place.</P> <P><A href="http://splunk-base.splunk.com/apps/29008/sos-splunk-on-splunk">http://splunk-base.splunk.com/apps/29008/sos-splunk-on-splunk</A></P> <P><A href="http://splunk-base.splunk.com/apps/22279/sideview-utils">http://splunk-base.splunk.com/apps/22279/sideview-utils</A></P> Thu, 08 Dec 2011 15:46:59 GMT https://community.splunk.com/t5/Getting-Data-In/Cleaning-up-props-conf-OR-not-working-for-multiple-sources/m-p/24427#M3856 dmaislin_splunk 2011-12-08T15:46:59Z