Is there a way, in the GUI, to edit props.conf after creating a new source (and after indexing)? If not, where can I find the right file (in Windows) to do the editing - a search for props.conf yields several locations/versions.
That totally depends on what you want to do. Some things, like simple field extraction, can be done through the GUI, e.g. through the IFX (and only after the data has been indexed). Other stuff, like line breaking, can only be done in the config files.
What can be a bit confusing is that some of the props.conf settings deal with operations that happen during the parsing/indexing phase, and others that happen in the search phase. In a Splunk deployment larger than one machine, your props.conf files will/could/should look very different, depending on if it's on an Indexer, a SearchHead or a Heavy Forwarder. The reason for this is that, in a distributed setup, different phases occur on different types of server.
For more information, please see
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Configurationparametersandthedatapipeline
As for the files themselves, they can typically reside in a few different places. The most common ones are in $SPLUNK_HOME/etc/system/local
and $SPLUNK_HOME/etc/apps/<some_app_name>/local
.
You should never ever ever ever EVER edit files in a 'default' directory, like $SPLUNK_HOME/etc/system/default/props.conf
. Although there are several props.conf files in your system, they will be 'merged' at runtime, and settings in one file will override the same setting in another file, depending on precedence. Any config files in $SPLUNK_HOME/etc/system/local/
will always have precedence over all others.
For more information on configuration file precedence, see
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles
EDIT: $SPLUNK_HOME
refers to your Splunk directory, typically /opt/splunk
on *nix, and c:\program files\splunk
on Windows.
Hope this helps, and please vote up and/or mark as answered if this was answered your question.
/Kristian