Getting Data In

How to change props.conf based on input/sourcetype

Path Finder

I have a couple .txt files that I want to parse differently than the rest of my data coming in from my forwarders.

How could I change the props.conf (Or any other relevant config file) to parse through this specific sourcetype/input differently? (Ex. Turn off breaks before dates, etc.)

Additionally, would I be able to do this on a forwarder/deployment-app level, or would I have to do this all on the $SPLUNK_HOME/etc/system/local level on the main Splunk instance server.

 

Labels (1)
Tags (1)
0 Karma

SplunkTrust
SplunkTrust
Modify the inputs.conf file to have a separate stanza for those .txt files. In that stanza, put the appropriate sourcetype for the data.
---
If this reply helps you, an upvote would be appreciated.
0 Karma

Path Finder

@richgalloway  

I changed the sourcetype for these files in the inputs.conf. Now do I edit how these sourcetypes are parsed in props.conf or inputs.conf?

0 Karma

SplunkTrust
SplunkTrust
Sourcetype processing is controlled by props.conf files on the indexers (or HF, if you have one).
---
If this reply helps you, an upvote would be appreciated.
0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!