Archive
Highlighted

props.conf issues when overriding auto sourcetyping

Explorer

I set up the following after reading many answers here on this subject. I have csv input and so I did this to override auto sourcetyping.

props.conf

[source::C:\Documents and Settings\Sample\]
sourcetype = mytype
priority = 100
KV_MODE = none
CHECK_FOR_HEADER = false
REPORT-alarmtest = alarmtest

inputs.conf

[monitor:://C:\Documents and Settings\Sample\]
sourcetype = mytype

Appropriate transforms.conf is set and btool output looks fine with all my fields. When I test sourcetype (test sourcetype filename) I see that my props.conf is not taken:

Attr:REPORT-AutoHeader  AutoHeader-2
Attr:sourcetype csv-3

What else can I do/test?

Tags (1)
0 Karma
Highlighted

Re: props.conf issues when overriding auto sourcetyping

Motivator

Try changing your props.conf as such:

[source::C:\Documents and Settings\Sample\*.csv]

You can find the specifications for props.conf here: http://www.splunk.com/base/Documentation/4.1.3/Admin/Propsconf

Highlighted

Re: props.conf issues when overriding auto sourcetyping

Explorer

Tried that too. completly got rid of csv and crated a new extension. Still the same problem.

0 Karma
Highlighted

Re: props.conf issues when overriding auto sourcetyping

Explorer

correction: with *.csv at the end, same problem. When I create a new extension like "mytype" and test, the Attr:REPORT- field is missing but sourcetype is good (Attr:sourcetype mytype)

Either way, it is not taking my props.conf

0 Karma
Highlighted

Re: props.conf issues when overriding auto sourcetyping

Motivator

@pjmenon -- I assume you did restart splunk or run a | extract reload=true to make sure the new configs are applied?

0 Karma
Highlighted

Re: props.conf issues when overriding auto sourcetyping

Motivator

@pjmenon -- additionally I am not sure if test sourcetype will act on source:: fields. When your monitor picks up your files does it assign the correct sourcetype?

Highlighted

Re: props.conf issues when overriding auto sourcetyping

Explorer

I am running this as CLI. But I do restart splunk when I check things in the web interface. yes, the monitor picks up the right sourcetype. [monitor:://C:\Documents and Settings\Sample]
rcvbuf = 1572864
evt
dcname =
evt
dns_name =
host = S101401
index = default
sourcetype = mytype

0 Karma
Highlighted

Re: props.conf issues when overriding auto sourcetyping

Motivator

@pjmenon -- If the system picks up the files with the correct sourcetype at index time, I'm not quite sure what the problem is that you're having?

0 Karma
Highlighted

Re: props.conf issues when overriding auto sourcetyping

Explorer

I have a custome field extraction in transforms.conf and the associated stanza in props.conf. This props.conf is not picked up (overridden) and so my field extraction is not working. My whole idea o changing these conf files was to enforce my field extraction.

0 Karma
Highlighted

Re: props.conf issues when overriding auto sourcetyping

Motivator

@pjmenon -- would you mind posting your transforms.conf?

0 Karma