topic Re: Why is my props.conf configuration no longer working on my French timestamp and FileZilla server logs? in Getting Data In

Why is my props.conf configuration no longer working on my French timestamp and FileZilla server logs?

splunkreal — Mon, 03 Apr 2017 16:18:48 GMT

Hello guys,

I have a problem with French logs so I tried to create props.conf and deploy it :

[fzs]
TIME_PREFIX = ^\([0-9]*\)\s
TIME_FORMAT = %d/%m/%Y %H:%M:%S

Log example :

(1002561) 01/04/2017 23:59:01 - blablabla

I've understood that the time_prefix will ignore the (number) and space before the french date.

Should it work? My logs from April are not coming however it worked from January to March 2017.

Thanks a lot!

Re: Why is my props.conf configuration no longer working on my French timestamp and FileZilla server logs?

cpetterborg — Mon, 03 Apr 2017 16:24:13 GMT

That should be working. Have you checked to make sure that there aren't extra spaces or something else that might have changed slightly in the log since April 1?

Re: Why is my props.conf configuration no longer working on my French timestamp and FileZilla server logs?

splunkreal — Tue, 29 Sep 2020 13:26:57 GMT

I never used TIME_PREFIX and TIME_FORMAT before, in fact april logs are now indexed as march which is the problem :

03/04/2017 (3rd april 2017 french format) => 4 march 2017

Thanks.

Re: Why is my props.conf configuration no longer working on my French timestamp and FileZilla server logs?

cpetterborg — Mon, 03 Apr 2017 16:35:30 GMT

It looks like it is ignoring your TIME_FORMAT. Are you sure that the stanza is being used for your data? If not, then it would try to do formatting on its own, and that might make it use an American mon/day/year format, which looks like what you are seeing.

Re: Why is my props.conf configuration no longer working on my French timestamp and FileZilla server logs?

s2_splunk — Mon, 03 Apr 2017 16:50:18 GMT

Where did you deploy your props.conf file?
If your Filezilla logs are being collected with a Universal Forwarder, props.conf needs to be on all the indexers, if you are using a Heavy forwarder somewhere between your Filezilla server and the indexers, it needs to go on the Heavy Forwarder.

In other words: props.conf needs to be on the Splunk role that does the event parsing.

Maybe it helps if you describe your data ingest path a bit more.

Re: Why is my props.conf configuration no longer working on my French timestamp and FileZilla server logs?

splunkreal — Mon, 03 Apr 2017 17:03:35 GMT

You are right, props.conf is only forwarder side. Should it be deployed on the indexer cluster?

Re: Why is my props.conf configuration no longer working on my French timestamp and FileZilla server logs?

cpetterborg — Mon, 03 Apr 2017 17:07:56 GMT

Props.conf files usually deployed on the indexers, and for the functionality that you want, that is where the props.conf should be, because it is at index time, not at forwarding time that those configs are needed.

Re: Why is my props.conf configuration no longer working on my French timestamp and FileZilla server logs?

s2_splunk — Mon, 03 Apr 2017 17:13:35 GMT

You need to deploy your props.conf settings where the event parsing happens. There are a few that take effect on the Universal Forwarder, but most of them need to be on your indexing tier (or any intermediary heavy forwarder, if present).
This Wiki page provides a bit more detail around the topic.

Re: Why is my props.conf configuration no longer working on my French timestamp and FileZilla server logs?

splunkreal — Tue, 29 Sep 2020 13:27:01 GMT

Ok, I've tried on a test machine and it works finally (I used the add data/upload web interface with the advanced sourcetype settings).

So I've to put my props.conf on both /etc/deployment-apps/_server... and therefore etc/master-apps/_cluster/local?

Thanks a lot!

Re: Why is my props.conf configuration no longer working on my French timestamp and FileZilla server logs?

s2_splunk — Mon, 03 Apr 2017 18:41:31 GMT

Great to hear, you're welcome. Please accept answer when you get a chance. Thanks!