Deployment Architecture

Which prop options to put intl the uf or indexer?

Jeanmichou
Loves-to-Learn Lots

Hello, I have an application with an uf, an indexer and a sh. For a csv it is recommended to put some options in the uf and others in the indexer. For example the field_names. Do you know what types of options to put where?

Labels (2)
0 Karma

Jeanmichou
Loves-to-Learn Lots

It's rather strange to not have any official documentation on this. This is something on which we have blocked a long time (for the csv case) and I have not found any concrete doc on the internet. We will duplicate the file because of this, it will generate additional maintenance to maintain it. It's sad 😞

0 Karma

gcusello
SplunkTrust
SplunkTrust

hi @Jeanmichou,

in Splunk documentation, you have to see in Getting data in section (https://docs.splunk.com/Documentation/SplunkCloud/9.0.2209/Admin/IntroGDI) or at props.conf documentation page (https://docs.splunk.com/Documentation/Splunk/9.0.3/Admin/Propsconf).

then there are many videos in the YouTube Splnk Channel as this: https://www.youtube.com/watch?v=3kx0OGKy_XU 

Ciao.

Giuseppe

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

here is excellent flow chart where you could check that

https://www.aplura.com/assets/pdf/where_to_put_props.pdf

One option is put the same file to all of those places. Not the best one, but probably the easiest one?

r. Ismo

0 Karma

Jeanmichou
Loves-to-Learn Lots

Hello, thks for the answer.

It's a csv file. That's what I thought but I would have liked to do things "properly". There is a non-exhaustive list of what can or cannot be put in each application-props?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Jeanmichou,

the correct approach is:

  • take a sample of your file,
  • import it in Add data GUI feature [Settings > Add Data],
  • identify the options needed for your file (INDEXED_Extractions, timestamp, etc...), Splunk guides you in this job,
  • copy the props.conf identified in this way in your servers.

As I said I hint to use the same props.conf in all your servers.

The exact options to use depend on your file, but the GUI procedure guides you in this activity.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Jeanmichou,

UFs are used to ingest files, so you use inputs.conf.

I suppose that you're speking of props.conf.

props.conf is used for the parsing phase that is usually done on Indexers or (when present) on intermediate Heavy Forwarders.

there's only one exception to this rule that is when you have csv or json or XML files.

In this case, you have to put props.conf also on UFs.

At least my hint is to use the same props.conf both on UF, SH and IDX deploying it in a dedicated Add-On.

Ciao.

Giuseppe

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...