Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to change props.conf based on input/sourcetype

tbrown
Path Finder
‎07-08-2020 06:42 AM

I have a couple .txt files that I want to parse differently than the rest of my data coming in from my forwarders.

How could I change the props.conf (Or any other relevant config file) to parse through this specific sourcetype/input differently? (Ex. Turn off breaks before dates, etc.)

Additionally, would I be able to do this on a forwarder/deployment-app level, or would I have to do this all on the $SPLUNK_HOME/etc/system/local level on the main Splunk instance server.

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-08-2020 06:59 AM
Modify the inputs.conf file to have a separate stanza for those .txt files. In that stanza, put the appropriate sourcetype for the data.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

tbrown
Path Finder
‎07-08-2020 07:57 AM

@richgalloway  

I changed the sourcetype for these files in the inputs.conf. Now do I edit how these sourcetypes are parsed in props.conf or inputs.conf?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-08-2020 08:17 AM
Sourcetype processing is controlled by props.conf files on the indexers (or HF, if you have one).
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...