Getting Data In

Editing props.conf after adding source?

ehs
New Member

Is there a way, in the GUI, to edit props.conf after creating a new source (and after indexing)? If not, where can I find the right file (in Windows) to do the editing - a search for props.conf yields several locations/versions.

Tags (2)
0 Karma

kristian_kolb
Ultra Champion

That totally depends on what you want to do. Some things, like simple field extraction, can be done through the GUI, e.g. through the IFX (and only after the data has been indexed). Other stuff, like line breaking, can only be done in the config files.

What can be a bit confusing is that some of the props.conf settings deal with operations that happen during the parsing/indexing phase, and others that happen in the search phase. In a Splunk deployment larger than one machine, your props.conf files will/could/should look very different, depending on if it's on an Indexer, a SearchHead or a Heavy Forwarder. The reason for this is that, in a distributed setup, different phases occur on different types of server.

For more information, please see
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Configurationparametersandthedatapipeline

As for the files themselves, they can typically reside in a few different places. The most common ones are in $SPLUNK_HOME/etc/system/local and $SPLUNK_HOME/etc/apps/<some_app_name>/local.
You should never ever ever ever EVER edit files in a 'default' directory, like $SPLUNK_HOME/etc/system/default/props.conf. Although there are several props.conf files in your system, they will be 'merged' at runtime, and settings in one file will override the same setting in another file, depending on precedence. Any config files in $SPLUNK_HOME/etc/system/local/ will always have precedence over all others.

For more information on configuration file precedence, see
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles

EDIT: $SPLUNK_HOME refers to your Splunk directory, typically /opt/splunk on *nix, and c:\program files\splunk on Windows.

Hope this helps, and please vote up and/or mark as answered if this was answered your question.

/Kristian