Archive
Highlighted

What is props.conf in splunk?

Path Finder

Hey, Fellow Splunkers

I'm fairly new to Splunk, I was wandering what exactly is the props.conf?, Where is it located?, and Why is it important? My thoughts of the props.conf is similar to a router configuration? I'm wandering are my thoughts correct in respect to the props.conf?

Thank You,

Tags (1)
Highlighted

Re: What is props.conf in splunk?

SplunkTrust
SplunkTrust

Welcome to Splunk @asarran !

The props.conf lives on the indexer,heavy forwarder, and/or search head and this applies "rules" while the data is getting parsed. You can specify how it gets timestamped, the format of the timestamp, how the events should break etc..

So basically, the props.conf will apply your configuration settings to your data while being indexed

http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Propsconf

An example of a stanza in props.conf will look like this

[log4j]
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE = ^\$\$\s[A-Z]{5}\s\$\$
TRUNCATE = 30000
MAX_EVENTS = 100000
Highlighted

Re: What is props.conf in splunk?

SplunkTrust
SplunkTrust

Just a note that props.conf can also contain search-time configurations, and as such, usually does not live on just the indexer. It contains index-time and search-time configurations, so it can be placed on both.

Highlighted

Re: What is props.conf in splunk?

SplunkTrust
SplunkTrust

I've updated my answer to reflect this

0 Karma
Highlighted

Re: What is props.conf in splunk?

SplunkTrust
SplunkTrust

And to add another comment: in some cases it can be used on the universal forwarder as well 😉

See @amrit 's answer here: https://answers.splunk.com/answers/118668/filter-iis-logs-before-indexing.html

cheers, MuS

0 Karma
Highlighted

Re: What is props.conf in splunk?

Legend

@asarran, props.conf is analagous (very loosely) to a .ini file or .cfg file. It has the setting splunk engine uses to determine how to process the data, either prior to forwarding, prior to indexing OR prior to searching. As such, it can be on Heavy Forwarder, Indexer, Search Head or all of the above.

There are sevaral .conf files in splunk and this link has a good explanation of what each does and when

http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Listofconfigurationfiles
https://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F
http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Propsconf

0 Karma
Highlighted

Re: What is props.conf in splunk?

Splunk Employee
Splunk Employee

If you are new to Splunk Enterprise and its configuration files, definitely take the time to read the topics in the Admin Manual that start with About configuration files. Understanding the configuration file directory structure, file structure, and file precedence is essential to operating Splunk Enterprise. There is also attribute precedence within a single props.conf file, and the docs have a topic about that, too.

The documentation description of what you can use props.conf for is: "Set indexing property configurations, including timezone offset, custom source type rules, and pattern collision priorities. Also, map transforms to event properties."

0 Karma