Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

In which component in the distributed environment should I configure props.conf?

stevenbutterwor
Path Finder
‎09-14-2018 02:12 PM

I am using the universal forwarder(UF) to monitor a directory for a CSV file on a remote server. I have configured inputs.conf on the UF to monitor the dir. I am forwarding the data to a Heavy Forwarder which will then forward to an indexer cluster.

I want to tell Splunk where to find the time field and header line using a source type in props.conf

Which component in the distributed environment needs to have the source type configured? The UF, HF or indexer layer?

Thanks

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-17-2018 03:20 PM

It depends.

  • search time transforms go to the search-head
  • indextime transforms go to the indexers ( and heavy forwarders)
  • structured data (CSV/json) transforms go to the collector (it could be the universal forwarder)

As you are mentioning CSV with INDEXED_EXTRACTIONS = CSV, then it goes on props.conf on the collector, so the UF. The events will not be reparsed again at the indexer level.

Reply

ddrillic
Ultra Champion
‎09-18-2018 07:26 AM

Thank you @yannk for the clear delineation.

0 Karma
Reply

ddrillic
Ultra Champion
‎09-14-2018 02:51 PM

CSV is unique. You should have INDEXED_EXTRACTIONS = CSV on all three props.conf.

0 Karma
Reply

stevenbutterwor
Path Finder
‎09-16-2018 10:48 AM

So I need props at all three layers?

0 Karma
Reply

ddrillic
Ultra Champion
‎09-16-2018 11:00 AM

For the CSV case, you need it at the forwarder level and at the indexer level and from best practices perspective, the three layers should be identical configuration-wise.

0 Karma
Reply

stevenbutterwor
Path Finder
‎09-16-2018 11:55 AM

Excellent, so as long as I have INDEXED_EXTRACTIONS = CSV it should pick up the fields? Or do I need HEADER_FIELD_LINE_NUMBER = 1 also?

0 Karma
Reply

ddrillic
Ultra Champion
‎09-16-2018 06:04 PM

HEADER_FIELD_LINE_NUMBER = 1 is fine or you can let Splunk detect it...

I just used the Add Data feature for a csv file and it shows -

alt text

I deleted all except INDEXED_EXTRACTIONS = CSV and finished the upload. The data and all the fields are extracted and the generated stanza in props.conf is surprisingly - 

[csv_tst]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true

.

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...