Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

In which component in the distributed environment should I configure props.conf?

stevenbutterwor
Path Finder
‎09-14-2018 02:12 PM

I am using the universal forwarder(UF) to monitor a directory for a CSV file on a remote server. I have configured inputs.conf on the UF to monitor the dir. I am forwarding the data to a Heavy Forwarder which will then forward to an indexer cluster.

I want to tell Splunk where to find the time field and header line using a source type in props.conf

Which component in the distributed environment needs to have the source type configured? The UF, HF or indexer layer?

Thanks

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-17-2018 03:20 PM

It depends.

  • search time transforms go to the search-head
  • indextime transforms go to the indexers ( and heavy forwarders)
  • structured data (CSV/json) transforms go to the collector (it could be the universal forwarder)

As you are mentioning CSV with INDEXED_EXTRACTIONS = CSV, then it goes on props.conf on the collector, so the UF. The events will not be reparsed again at the indexer level.

Reply

ddrillic
Ultra Champion
‎09-18-2018 07:26 AM

Thank you @yannk for the clear delineation.

0 Karma
Reply

ddrillic
Ultra Champion
‎09-14-2018 02:51 PM

CSV is unique. You should have INDEXED_EXTRACTIONS = CSV on all three props.conf.

0 Karma
Reply

stevenbutterwor
Path Finder
‎09-16-2018 10:48 AM

So I need props at all three layers?

0 Karma
Reply

ddrillic
Ultra Champion
‎09-16-2018 11:00 AM

For the CSV case, you need it at the forwarder level and at the indexer level and from best practices perspective, the three layers should be identical configuration-wise.

0 Karma
Reply

stevenbutterwor
Path Finder
‎09-16-2018 11:55 AM

Excellent, so as long as I have INDEXED_EXTRACTIONS = CSV it should pick up the fields? Or do I need HEADER_FIELD_LINE_NUMBER = 1 also?

0 Karma
Reply

ddrillic
Ultra Champion
‎09-16-2018 06:04 PM

HEADER_FIELD_LINE_NUMBER = 1 is fine or you can let Splunk detect it...

I just used the Add Data feature for a csv file and it shows -

alt text

I deleted all except INDEXED_EXTRACTIONS = CSV and finished the upload. The data and all the fields are extracted and the generated stanza in props.conf is surprisingly - 

[csv_tst]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true

.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...