Re: Does a universal forwarder ever read props.con...

a212830 · ‎08-30-2014

Hi,

Does a UFW ever read a props.conf file? Is there any reason to put a props.conf on a UFW system?

gbronner_rbc · ‎09-30-2015

It appears that you need to edit the props.conf file on the forwarder if you want to have non-default handling of structured (e.g. CSV files).

In particular, I was trying to have a CSV file override the timestamp field to read it from one of my fields -- I needed to tell the fowarder that it was a custom type:

Forwarder:

[myType]
INDEXED_EXTRACTIONS = csv

And on the indexer:

[myType]
INDEXED_EXTRACTIONS = csv
TIMESTAMP_FIELDS = foo

If only the second one was set, the events did not parse correctly.

gkanapathy · ‎08-30-2014

Yes it does. See http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F under "inputs".

cphair · ‎05-07-2015

See http://wiki.splunk.com/Community:HowIndexingWorks for a summary of which settings take effect at which locations.

Runals · ‎09-02-2014

? That is not how I understand the process to happen or even what I read from what you linked. A UF has no concept of what an event is. However you can set things like the host and sourcetype fields and what index data goes to. You can't do things like control linebreaking, timestamp definition, etc which are set in props.

Does a universal forwarder ever read props.conf?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation