Re: How to configure props.conf for two different ...

iherre312 · ‎10-15-2015

I have a two different props.conf stanzas for two different log types (i.e., bluecoat and bluecoat_proxysg). What is the best way to handle props.conf? Should I just create a separate sourcetype for each? The timestamps are in different formats and locations in the events.

rphillips_splk · ‎10-15-2015

If your timestamps for the two different types of log types are different then it makes sense to put them into different sourcetypes. The rules you apply to those sourcetypes can be applied based on the sourcetype in props.conf. If you're defining search-time extractions those would be applied to the sourcetype in props.conf on the search head. If you are defining index-time extractions, defining line-breaking , timestamp format, or using transforms etc those would be applied to the sourcetype in props.conf on the indexers. If you are using structured data header extractions such as INDEXED_EXTRACTIONS those would go into props.conf on the forwarder. Depending on your data and needs you could end up with props.conf configurations on all 3 instances for a given sourcetype or a combination of such.

How to configure props.conf for two different log types: bluecoat and bluecoat_sg?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor