Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Getting my priority's straight

cramasta
Builder
‎05-16-2013 07:36 AM

I have a question about how priority's work in a single props.conf file. If i have the two stanzas below and I index a file localted at /opt/system1/apps/logs/myfile.log what is the complete stanza that is used for processing the data. I am running 4.3.5

[source::/opt/*/apps/logs/*.log]
sourcetype=sourcetype1
TIME_PREFIX=^
TIME_FORMAT=%F %H:%M:%S,%3N
LINE_BREAKER = ([\r\n]+)(\d{4}-\d{2}-\d{2})
priority = 1

[source::/opt/system1/apps/logs/myfile.log]
sourcetype=sourcetype2
DATETIME_CONFIG=CURRENT
SHOULD_LINEMERGE=false
priority = 2
MAX_EVENTS = 1

Because the source of the file matches both stanzas does Splunk merge the two stanzas together and any duplicate settings will be set to the stanza with the highest priority?

Would the final settings that get applied be

sourcetype=sourcetype2
DATETIME_CONFIG=CURRENT
SHOULD_LINEMERGE=false
MAX_EVENTS = 1
TIME_PREFIX=^
TIME_FORMAT=%F %H:%M:%S,%3N
LINE_BREAKER = ([\r\n]+)(\d{4}-\d{2}-\d{2})

Tags (1)
0 Karma
Reply

bmacias84
Champion
‎05-16-2013 02:27 PM

I am not sure how you have your inputs.conf configured, but I seems you should be doing your sourcetype separation there. I've included a sample of an inputs.conf and props.conf I would use for your scenario.



#inputs.conf

[monitor:///opt/*/apps/logs/*.log]

blacklist=/opt/system1/apps/logs/myfile.log

sourcetype=sourcetype1




[monitor:///opt/system1/apps/logs/myfile.log]

sourcetype=sourcetype2





#props.conf

[sourcetype1]

TIME_PREFIX=^

TIME_FORMAT=%F %H:%M:%S,%3N

LINE_BREAKER = ([\r\n]+)(\d{4}-\d{2}-\d{2})

priority = 1




[sourcetype2]

DATETIME_CONFIG=CURRENT

SHOULD_LINEMERGE=false

priority = 2

MAX_EVENTS = 1

Hope this helps or gives you some ideas. Dont forget to vote and accept answser that help.

Cheers,

Reply

cramasta
Builder
‎05-16-2013 03:14 PM

My configurations pretty much match what you have. the problem is that sourcetype2 is not following the max_events=1 rule (events are being made up of multiple lines instead of 1 line per event). If i add the time_prefix, time_format_and line_breaker setting to sourcetype2 stanza then my events will be made up of multiple lines, (this goes back to my reason for posting to see if the stanzas are getting merged together which would explain why my events are being made up of multiple lines.)

0 Karma
Reply

wbfoxii
Communicator
‎05-16-2013 11:16 AM

Couldn't you run btool

bin/splunk btool props list | less

And list out what the composite props.conf file is?

Reply

cramasta
Builder
‎05-16-2013 11:57 AM

Yes I have done that and btool is showing that merging the stanzas together is NOT the case, BUT my logs are not line breaking correctly and the only thing that would have made sense is if they are being merged together so i figured I would ask.

0 Karma
Reply

bmacias84
Champion
‎05-16-2013 09:39 AM

Last stanza applied wins.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...