Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I edit my current inputs.conf and props.conf for proper monitoring, setting a sourcetype, and line breaking?

newmember
New Member
‎01-09-2016 11:37 AM

Sorry newbie questions.
I have been looking at trying my hand at customizing the setup, instead of using the GUI.
These are from things I have tried and read in the docs.

The idea would be to set up the input folders in the "inputs.conf" file with "monitor" to grabd the logs, then use the "props.conf" file with "rule" to set the sourcetype for the logs.
The next thing I going to do is set up log parsing to linebreak before the log events.

A.
I created a inputs.conf and props.conf file
I added to this folder and it did not read the inputs.conf file:

D:\Splunk\etc\apps\ZINPUTS\defaults\inputs.conf

I moved it to this folder and then it read it:

D:\Splunk\etc\system\local\inputs.conf

I am wanting to create a config like and app that I could copy from one server to another, when should I put my custom conf files?
Is there a CLI to output which conf files splunk reads?

B.
Monitoring:
I created this monitor for each folder, I added the recursive=true just to remind me what the default setting it.
I have 40 folders that I will monitor.
This does not seem to work.

[monitor://D:\SplunkData\7641\logform1\...\*.log]
recursive = true

I would like to read logs from the following folders:

D:\SplunkData\7641\logform1\*.log
D:\SplunkData\7641\logform1\day1\*.log
D:\SplunkData\7641\logform1\day2\*.log
D:\SplunkData\7641\logform1\day1\hour1\*.log
D:\SplunkData\7641\logform1\day1\hour2\*.log

C.
props.conf
I am thinking I would use props.conf and rules to set the sourcetype of the logs so:
The name of the application appears on line 5 of each log file, can I do this to find and identify the log as the sourcetype:

[rule::logform1]
sourcetype=logform1
REGEX=\t\tlogform1.exe

Currently this throws and error when I start splunk:

        Invalid key in stanza [rule::logform1] in D:\Splunk\etc\system\local\props.conf, line 3: REGEX (value: \t\tlogform1.exe).

D.
Not sure what I will do here, I would like to set the break between records and there are four record types in one log file, I would like to break when these appear.

2016-01-07 15:07:30.879 DBUG
15:10:44.072_F_F_8837002
15:10:44.072 Int
Via: SIP/2.0/ UDP

Note: There are several more but these some of them.
I was going to use "BREAK_ONLY_BEFORE" for each of these log events.
Any ideas here?

Thanks for the assistance.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎01-10-2016 09:38 PM

C. not sure if it will not work, you cannot assign the sourcetype based on the content.
It's easier to make the sourcetype static, in the inputs.conf.

0 Karma
Reply

newmember
New Member
‎01-11-2016 11:05 AM

Really?

http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configurerule-basedsourcetyperecognition

Thanks

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎01-11-2016 11:53 AM

You are right, there is a way to detect the sourcetype later.
based on the content of the events, statistically.
but the correct parameter is not REGEX, try MORE_THAN_10

[rule::logform1]
sourcetype=logform1
MORE_THAN_10=\t\tlogform1.exe
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...