I am working with application data that has the same exact format across several applications. The sourcetypes are based on application names. We have a couple of fields that we need to extract. I have a props.conf built, but we want to have a one props.conf to control these settings across the applications. How can I tie the sourcetypes to the one props.conf file?
thanks, Jenn
As an additional note, if you are extracting the same data across multiple source types, you should be using a transforms based extraction. This allows you to assign that extraction to different sourcetypes in props.
Refer to the Section in the props.conf spec file :
# * Defining new search-time field extractions. You can define basic search-time field
# extractions entirely through props.conf. But a transforms.conf component is required if
# you need to create search-time field extractions that involve one or more of the following:
# * Reuse of the same field-extracting regular expression across multiple sources,
# source types, or hosts.
# * Application of more than one regex to the same source, source type, or host.
# * Delimiter-based field extractions (they involve field-value pairs that are
# separated by commas, colons, semicolons, bars, or something similar).
# * Extraction of multiple values for the same field (multivalued field extraction).
# * Extraction of fields with names that begin with numbers or underscores.
http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Propsconf
Hey Jenn - check this out. Still a "hack" as far as I know but I tested it out and it worked :). I used it in props in conjunction with a stanza in transforms.conf.
In props.conf:
[(::){0}sourcetype:*]
KV_MODE = auto
REPORT-comma-delims = commafields
In transforms.conf:
[commafields]
DELIMS = ","
FIELDS = field1,field2,field3,field4,field5
As an additional note, if you are extracting the same data across multiple source types, you should be using a transforms based extraction. This allows you to assign that extraction to different sourcetypes in props.
Refer to the Section in the props.conf spec file :
# * Defining new search-time field extractions. You can define basic search-time field
# extractions entirely through props.conf. But a transforms.conf component is required if
# you need to create search-time field extractions that involve one or more of the following:
# * Reuse of the same field-extracting regular expression across multiple sources,
# source types, or hosts.
# * Application of more than one regex to the same source, source type, or host.
# * Delimiter-based field extractions (they involve field-value pairs that are
# separated by commas, colons, semicolons, bars, or something similar).
# * Extraction of multiple values for the same field (multivalued field extraction).
# * Extraction of fields with names that begin with numbers or underscores.
http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Propsconf
Thanks for the information. We are testing both options to see which will work best for our situation. Thank you!
You have a [default] section/GLOBALL SETTINGS in props.conf which will be applied to all the sourcetype definitions in that props.conf/splunk instance. You can specify your configurations there. But ensure that if any sourcetype is not suppose to use the [default] configurations, it has to explicitly overwrite those in it's own definition.
See this for more information, http://docs.splunk.com/Documentation/Splunk/6.1.2/admin/Propsconf
Thanks for the information. This was helpful. i can't accept the answer because it is a reply unfortunately.