Hello all,
Hoping someone could help clarify and hopefully help figure out an issue I've run into. I created an automatic lookup table to add some details to my event data. I created a new props.conf and added a sourcetype within the props.conf. I configured the lookup file in global context and deployed the props.conf under /app/app_name/local directory. Now for some reason, the sourcetype I added in the props.conf file which is deployed under /app/app_Name/local is taking precedence over another props.conf that I have out there with the same sourcetype which handles a lot of normalization. Question is, why is this happening and what is the best workaround or way to tackle this problem. Thanks all.
For example:
Props.conf for automatic lookup
[distributor:remote]
LOOKUP-table = logs_per_day host OUTPUTNEW average_logs AS logs_per_day
Global master Props.conf This props.conf is no longer being loaded since the one above was deployed
[distributor:remote]
SEDCMD-moveheader = s/^\<\?xml[^\>]*\>\n*//g
EXTRACT-extract_ip = (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
bunch of other things.
Hi ronaldsc,
read the docs http://docs.splunk.com/Documentation/Splunk/6.3.3/Admin/Wheretofindtheconfigurationfiles about .conf
precedence.
Some time ago I learned that:
When different copies have conflicting attribute values (that is, when they set the same attribute to different values), Splunk uses the value from the file with the highest priority.
Looking at your examples there is no conflict.
Hope this helps ...
cheers, MuS
Hi ronaldsc,
read the docs http://docs.splunk.com/Documentation/Splunk/6.3.3/Admin/Wheretofindtheconfigurationfiles about .conf
precedence.
Some time ago I learned that:
When different copies have conflicting attribute values (that is, when they set the same attribute to different values), Splunk uses the value from the file with the highest priority.
Looking at your examples there is no conflict.
Hope this helps ...
cheers, MuS
Thanks for the quick reply, MuS. When you say you see no conflict what exactly do you mean? Based on the documentation you pointed me to it would seem that my sourcetype stanza in the newer props.conf would take precedence over the one under my TA directory since the custom app name comes before the TA path. Does this mean the one in TA gets ignored completely or does it mean that only duplicate declarations are ignored?
Only duplicates will be taken form the higher precedence .conf
file
This is of interest to you http://docs.splunk.com/Documentation/Splunk/6.3.3/Admin/Wheretofindtheconfigurationfiles#How_app_dir... for your example