https://community.splunk.com/t5/Getting-Data-In/Indexers-props-conf/m-p/437998#M99347 <P>From Splunk it's said it's best to do your custom Field extractions at search time. So the only extractions you do on your indexers are date/time field extractions and what else?</P> <P>Can someone provide me a well written, efficient props.conf file for your index time extractions for IIS or Tomcat sourcetype logs?</P> <P>I'm pulling in HUGE iis logs from about 40 servers many logs larger that 1gb in size and we are noticing a delay of up to 2+ hours for those logs. I understand increasing pipelines on indexer or UFs, I also understand upping the maxkb limit in limits.conf</P> <P>My purpose here is to determine if there's a more efficient way to get my data in via the configurations files. Am I doing something wrong or neglecting the best practices?</P> <P>On my indexers props.conf<BR /> I have the timezone set to UTC and that's it. All my custom Field extractions are on my search heads via props and transforms. I'd imagine there's more i can do to help out my indexer via props.conf</P> <P>Can someone provide an example and explain the key value pairs within their stanza. Thanks</P> Sat, 10 Aug 2019 11:45:36 GMT Jarohnimo 2019-08-10T11:45:36Z https://community.splunk.com/t5/Getting-Data-In/Indexers-props-conf/m-p/437998#M99347 <P>From Splunk it's said it's best to do your custom Field extractions at search time. So the only extractions you do on your indexers are date/time field extractions and what else?</P> <P>Can someone provide me a well written, efficient props.conf file for your index time extractions for IIS or Tomcat sourcetype logs?</P> <P>I'm pulling in HUGE iis logs from about 40 servers many logs larger that 1gb in size and we are noticing a delay of up to 2+ hours for those logs. I understand increasing pipelines on indexer or UFs, I also understand upping the maxkb limit in limits.conf</P> <P>My purpose here is to determine if there's a more efficient way to get my data in via the configurations files. Am I doing something wrong or neglecting the best practices?</P> <P>On my indexers props.conf<BR /> I have the timezone set to UTC and that's it. All my custom Field extractions are on my search heads via props and transforms. I'd imagine there's more i can do to help out my indexer via props.conf</P> <P>Can someone provide an example and explain the key value pairs within their stanza. Thanks</P> Sat, 10 Aug 2019 11:45:36 GMT https://community.splunk.com/t5/Getting-Data-In/Indexers-props-conf/m-p/437998#M99347 Jarohnimo 2019-08-10T11:45:36Z https://community.splunk.com/t5/Getting-Data-In/Indexers-props-conf/m-p/437999#M99348 <P>Hey @Jarohnimo,</P> <P>Best way to find well written props.conf for any data source is to find the splunk built TA. Have a look here for IIS <BR /> <A href="https://splunkbase.splunk.com/app/3185/">https://splunkbase.splunk.com/app/3185/</A></P> <P>And here for Tomcat:<BR /> <A href="https://splunkbase.splunk.com/app/2911/">https://splunkbase.splunk.com/app/2911/</A></P> <P>You can grab the app and take the props.conf from there.</P> <P>Cheers,<BR /> David</P> Sat, 10 Aug 2019 13:00:40 GMT https://community.splunk.com/t5/Getting-Data-In/Indexers-props-conf/m-p/437999#M99348 DavidHourani 2019-08-10T13:00:40Z https://community.splunk.com/t5/Getting-Data-In/Indexers-props-conf/m-p/438000#M99349 <P>Thanks David, I have these currently set on my search heads but curious as to what makes sense to add explicitly to time date / parsing that may improve indexing.</P> <P>Generally I don't want the entire app on my indexer as that will add to index time (slow resources)</P> <P>Is setting the time zone all I need to do for these source types? There's a lot of options for time date field parsing</P> Sat, 10 Aug 2019 17:57:46 GMT https://community.splunk.com/t5/Getting-Data-In/Indexers-props-conf/m-p/438000#M99349 Jarohnimo 2019-08-10T17:57:46Z https://community.splunk.com/t5/Getting-Data-In/Indexers-props-conf/m-p/438001#M99350 <P>For example, I'm pulling huge logs. And I read that due to the large log set event processing can be clogged on the forwarders. </P> <P>I saw this bit in an article I was reading</P> <P>For optimal performance of your data, you can set the following settings for your sourcetype in props.conf:</P> <P>DATETIME_CONFIG<BR /> MAX_TIMESTAMP_LOOKAHEAD<BR /> TIME_PREFIX<BR /> TIME_FORMAT<BR /> SHOULD_LINEMERGE<BR /> ANNOTATE_PUNCT</P> <P>Should I be doing this on the inexers?</P> Wed, 30 Sep 2020 01:40:52 GMT https://community.splunk.com/t5/Getting-Data-In/Indexers-props-conf/m-p/438001#M99350 Jarohnimo 2020-09-30T01:40:52Z https://community.splunk.com/t5/Getting-Data-In/Indexers-props-conf/m-p/438002#M99351 <P>Yes! Exactly. <BR /> Those settings are referred to as the magic 6 and should be configured for all your sourcetypes. </P> <P>So yeah make sure you have the six of them in props.conf and drop all the search time configs : TIME_PREFIX, TIME_FORMAT, MAX_TIMESTAMP_LOOKAHEAD, SHOULD_LINEMERGE, LINE_BREAKER and TRUNCATE.</P> Wed, 30 Sep 2020 01:42:36 GMT https://community.splunk.com/t5/Getting-Data-In/Indexers-props-conf/m-p/438002#M99351 DavidHourani 2020-09-30T01:42:36Z https://community.splunk.com/t5/Getting-Data-In/Indexers-props-conf/m-p/438003#M99352 <P>@jarohnimo, do you need any more help on this issue ? If not could you please accept the answer to close it down ?</P> Wed, 14 Aug 2019 07:01:59 GMT https://community.splunk.com/t5/Getting-Data-In/Indexers-props-conf/m-p/438003#M99352 DavidHourani 2019-08-14T07:01:59Z