Getting Data In

In which component in the distributed environment should I configure props.conf?

stevenbutterwor
Path Finder

I am using the universal forwarder(UF) to monitor a directory for a CSV file on a remote server. I have configured inputs.conf on the UF to monitor the dir. I am forwarding the data to a Heavy Forwarder which will then forward to an indexer cluster.

I want to tell Splunk where to find the time field and header line using a source type in props.conf

Which component in the distributed environment needs to have the source type configured? The UF, HF or indexer layer?

Thanks

0 Karma

yannK
Splunk Employee
Splunk Employee

It depends.

  • search time transforms go to the search-head
  • indextime transforms go to the indexers ( and heavy forwarders)
  • structured data (CSV/json) transforms go to the collector (it could be the universal forwarder)

As you are mentioning CSV with INDEXED_EXTRACTIONS = CSV, then it goes on props.conf on the collector, so the UF. The events will not be reparsed again at the indexer level.

ddrillic
Ultra Champion

Thank you @yannk for the clear delineation.

0 Karma

ddrillic
Ultra Champion

CSV is unique. You should have INDEXED_EXTRACTIONS = CSV on all three props.conf.

0 Karma

stevenbutterwor
Path Finder

So I need props at all three layers?

0 Karma

ddrillic
Ultra Champion

For the CSV case, you need it at the forwarder level and at the indexer level and from best practices perspective, the three layers should be identical configuration-wise.

0 Karma

stevenbutterwor
Path Finder

Excellent, so as long as I have INDEXED_EXTRACTIONS = CSV it should pick up the fields? Or do I need HEADER_FIELD_LINE_NUMBER = 1 also?

0 Karma

ddrillic
Ultra Champion

HEADER_FIELD_LINE_NUMBER = 1 is fine or you can let Splunk detect it...

I just used the Add Data feature for a csv file and it shows -

alt text

I deleted all except INDEXED_EXTRACTIONS = CSV and finished the upload. The data and all the fields are extracted and the generated stanza in props.conf is surprisingly -

[csv_tst]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true

.

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...