I set up the following after reading many answers here on this subject. I have csv input and so I did this to override auto sourcetyping.
[source::C:\Documents and Settings\Sample\] sourcetype = mytype priority = 100 KV_MODE = none CHECK_FOR_HEADER = false REPORT-alarmtest = alarmtest
[monitor:://C:\Documents and Settings\Sample\] sourcetype = mytype
Appropriate transforms.conf is set and btool output looks fine with all my fields. When I test sourcetype (test sourcetype filename) I see that my props.conf is not taken:
Attr:REPORT-AutoHeader AutoHeader-2 Attr:sourcetype csv-3
What else can I do/test?
Try changing your props.conf as such:
[source::C:\Documents and Settings\Sample\*.csv]
You can find the specifications for props.conf here: http://www.splunk.com/base/Documentation/4.1.3/Admin/Propsconf
correction: with *.csv at the end, same problem. When I create a new extension like "mytype" and test, the Attr:REPORT- field is missing but sourcetype is good (Attr:sourcetype mytype)
Either way, it is not taking my props.conf
@pjmenon -- I assume you did restart splunk or run a | extract reload=true to make sure the new configs are applied?
@pjmenon -- additionally I am not sure if test sourcetype will act on source:: fields. When your monitor picks up your files does it assign the correct sourcetype?
I am running this as CLI. But I do restart splunk when I check things in the web interface. yes, the monitor picks up the right sourcetype. [monitor:://C:\Documents and Settings\Sample]
rcvbuf = 1572864
host = S101401
index = default
sourcetype = mytype
@pjmenon -- If the system picks up the files with the correct sourcetype at index time, I'm not quite sure what the problem is that you're having?
I have a custome field extraction in transforms.conf and the associated stanza in props.conf. This props.conf is not picked up (overridden) and so my field extraction is not working. My whole idea o changing these conf files was to enforce my field extraction.