topic Re: Why are changes made in props.conf not taking effect? in Getting Data In

Why are changes made in props.conf not taking effect?

prathapkcsc — Mon, 19 Jun 2017 18:36:06 GMT

My sample data

AAA, 0.5%
BBB,0.10%
CCC,0.20%

my search looks like this

base search | rex ".*?(?[^,]+),\s*?(?.*)" | table name,value

My entire data comes in as a single event. I want to avoid this.

I am trying to split a single event into multiple events based on new-line delimiter.
my props.conf file have

[app_source]
DATETIME_CONFIG = current
NO_BINARY_CHECK = true
category = Custom
pulldown_type = true
LINE_BREAKER=([\r\n]+)
SHOULD_LINEMERGE=false
MUST_BREAK_AFTER=\%

i placed this props.conf inside the $SPLUNK_HOME/etc/system/local
i restarted the splunkd service.
still changes are not reflecting to my search.
can anyone provide some light?
I am new to Splunk. What to do to resolve this problem?

Re: Why are changes made in props.conf not taking effect?

somesoni2 — Mon, 19 Jun 2017 18:49:05 GMT

The props.conf should be kept at the Indexer OR heavy forwarder (first Full Splunk Enterprise version) that comes first in the flow.

Re: Why are changes made in props.conf not taking effect?

prathapkcsc — Mon, 19 Jun 2017 18:55:08 GMT

i placed inside the $SPLUNK_HOME/etc/search/local.
Is this different from that indexer?

Re: Why are changes made in props.conf not taking effect?

somesoni2 — Mon, 19 Jun 2017 19:00:34 GMT

Indexer is the server where data indexing happens. The $SPLUNK_HOME/etc/search/local directory is available in all Splunk instances. Since you're new to Splunk, start reading with distributed architecture of Splunk, to understand different server types, correlated with your Splunk infrastructure and then make the changes (same location) in the server designated as indexer:
http://docs.splunk.com/Documentation/Splunk/6.6.1/Capacity/ComponentsofaSplunkEnterprisedeployment

Re: Why are changes made in props.conf not taking effect?

prathapkcsc — Mon, 19 Jun 2017 19:04:30 GMT

according to my requirement where should i make necessary changes?
Could you please tell me

Re: Why are changes made in props.conf not taking effect?

prathapkcsc — Mon, 19 Jun 2017 19:06:37 GMT

can i store props.conf inside $SPLUNK_HOME/var/lib/splunk/defaultdb/db/* this path?

Re: Why are changes made in props.conf not taking effect?

somesoni2 — Mon, 19 Jun 2017 19:13:52 GMT

The path is not the problem, it which server. I already provided you the name of the server (indexer/Heavy forwarder) but I can't tell you more specifically as I don't know your environment. How many Splunk servers you have? The server where you're monitoring the file (inputs.conf I assume), does it have Splunk Enterprise or Universal Forwarder installed?

Are you the Splunk admin for your environment? If not, you can get these answered by your admin.

Also, $SPLUNK_HOME/var/lib/splunk/defaultdb/db/* is the path for storing data, DO NOT Place anything there.

Re: Why are changes made in props.conf not taking effect?

prathapkcsc — Mon, 19 Jun 2017 19:18:48 GMT

I installed a windows desktop application.I don't have any forwarders like universal, heavy forwarder. I am trying to learn this , but got stuck here.

Re: Why are changes made in props.conf not taking effect?

somesoni2 — Mon, 19 Jun 2017 19:24:58 GMT

Ok.. so you're working out of a Standalone box (which performs all roles of search head, indexer, heavy forwarder). So if you've placed the props.conf in $SPLUNK_HOME/etc/system/local, it's placed in correct location. Keep in mind that a data once indexed will not get updated even if you change the event processing configuration. The new configuration will only be applicable for any new data that will get ingested. Did you upload new data? (old data will remain as it is. If you're just testing, delete all old data and re-index the file).

Re: Why are changes made in props.conf not taking effect?

micahkemp — Tue, 20 Jun 2017 14:35:28 GMT

You show app_source as the stanza for your props.conf. Is that reflective of the source or sourcetype of your data? If the former, it should be source::app_source instead, as per props.conf:

<spec> can be:
1. <sourcetype>, the source type of an event.
2. host::<host>, where <host> is the host, or host-matching pattern, for an
                 event.
3. source::<source>, where <source> is the source, or source-matching
                     pattern, for an event.
4. rule::<rulename>, where <rulename> is a unique name of a source type
                     classification rule.
5. delayedrule::<rulename>, where <rulename> is a unique name of a delayed
                            source type classification rule.
                            These are only considered as a last resort
                            before generating a new source type based on the
                            source seen.