Archive2
Highlighted

Where do I make my configuration settings?

Splunk Employee
Splunk Employee

If I have a forwarder, a light forwarder, an indexer, and a search head, where do I need to make my configuration, particular those in props.conf and inputs.conf? Can each setting be done anywhere, or only some places? Does it make a difference where it is set? What happens if the settings are different in each place?

Are the answers to the above questions different for each setting, and if so, is there a listing of these answers anywhere?

Update: I will be offering a bounty on this question. Winning the bounty will require a comprehensive and reasonably easy to read table or chart documenting substantially all inputs.conf and props.conf properties and keys, any significant related ones from other places (such as transforms.conf, outputs.conf). It should indicate where and how the property must be set, where/how it may be set, and what takes precedence in case of conflicts. The properties documented should include:

  • source
  • sourcetype
  • host
  • index
  • queue
  • route / _TCP_ROUTING
  • the above for WMI inputs
  • time zone / TZ
  • time stamp extraction rules
  • line breaking rules
  • line merging rules
  • character set/CHARSET
  • extracted fields
  • transformed fields
  • data masking
  • segmentation
Tags (1)
Highlighted

Re: Where do I make my configuration settings?

Splunk Employee
Splunk Employee

More detailed and extensive answer here: http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F

Light Forwarder
Inputs.conf changes need to be made on the forwarder Props.conf (and corresponding references in transforms.conf) changes need to be made on the indexer

Forwarder
Inputs.conf changes need to be made on the forwarder Props.conf (and corresponding references in transforms.conf) changes need to be made on the forwarder

Indexer
Inputs.conf changes need to be made on the indexer Props.conf is needed for index time extractions

Search Head
Inputs.conf is not necessarily needed, you only need to deal with it if you want to collect data on this instance Props.conf is needed for all your search time extractions (field extractions being the obvious the example)

The spec file for the conf in question can usually clue in to where the settings need to be made

View solution in original post

Highlighted

Re: Where do I make my configuration settings?

Splunk Employee
Splunk Employee

Could you please edit that, to add linebreaks? 🙂
Thank you.

Highlighted

Re: Where do I make my configuration settings?

Splunk Employee
Splunk Employee
0 Karma
Reply
Highlighted

Re: Where do I make my configuration settings?

Splunk Employee
Splunk Employee

The docs have the complete story on where to put the conf settings:

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Configurationparametersandthedatapipeline