Does the UF use props.conf and/or transforms.conf ...

nisse · ‎08-01-2011

If I am reading http://splunk-base.splunk.com/answers/27373/universal-forwarder-and-propsconf-and-transformsconf correctly, the UF does not support props.conf and transforms.conf. Yet the RPM includes the props files, which I find extremely confusing. What's the correct story? Is props.conf useful without transforms.conf? Which, if either, actually works with the UF?

$ rpm -qa | grep splunk
splunkforwarder-4.2.2-101277

$ rpm -ql splunkforwarder| egrep 'props|transforms' | sort
/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/props.conf
/opt/splunkforwarder/etc/apps/search/default/props.conf
/opt/splunkforwarder/etc/system/README/props.conf.example
/opt/splunkforwarder/etc/system/README/props.conf.spec
/opt/splunkforwarder/etc/system/default/props.conf

gkanapathy · ‎08-01-2011

You have misread. The UF does "support" props.conf. However, most settings in that file are irrelevant on a universal forwarder: http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F

Additionally, there are many settings in props.conf that do not reference transforms.conf. In fact, only REPORT, TRANSFORM, and LOOKUP do.

nisse · ‎08-02-2011

Thank you for clarifying!

Does the UF use props.conf and/or transforms.conf or not?

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...