Archive
Highlighted

How to edit the configuration files?

I am new to splunk. Could anyone please tell me how should I proceed in editing the .conf files in local directory? Are these changes critical to the parsing of the log files before they are indexed for search? I know that the inputs.conf and sourcetypes.conf has to be changed but I am not getting the required fields as per the log files, even if I do not make any changes at all.

Thanks.

Tags (1)
0 Karma
Highlighted

Re: How to edit the configuration files?

Splunk Employee
Splunk Employee

The best place to start is here.

http://docs.splunk.com/Documentation/Splunk/5.0/Tutorial/GetthesampledataintoSplunk

For the basics of adding data to Splunk this will make changes to the config files for you. For more advanced data there are examples and details in our online documentation as well.

View solution in original post

Highlighted

Re: How to edit the configuration files?

Splunk Employee
Splunk Employee

Usually parsing rules and field extraction (index time and search-time) are in props.conf organized per sourcetype

For index time, add it on the indexer, for search-time, on the search-head (if any).

Remarks :

  • never edit the /default/ always create a new file in /local/ to contains your new settings and modifications.
  • If you edit a config file, restart the splunk instance to apply.
0 Karma
Highlighted

Re: How to edit the configuration files?

I have read this in a good many places that rather than playing with config files beforehand, it is always better to do it after providing the input and parsing , i.e. - dynamic searching. This may result in addition of fields when we use regex on the log event entries in the index obtained from Splunk.
But making changes with regex for a particular field, then obtaining one of use and then saving it is also not an easy task, especially if you are not good at regex.

Thanks.

0 Karma
Highlighted

Re: How to edit the configuration files?

Splunk Employee
Splunk Employee

I would recommend trying the field extractor. That might help you get some of the extractions that aren't discovered automatically.

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/ExtractfieldsinteractivelywithIFX

0 Karma