Do I need to restart Splunk after I make changes to Props.conf and Transforms.conf for the changes to take effect?
Thanks
No. Not if the changes are search time transforms on the indexer. You should be able to issue the following command in a splunkweb search:| extract reload=t, this is an old instruction, but it is still in the documentation (it can't hurt). Search time transform instructions are read when the search is run.
Yes, if it is an index time transform on the indexer.
Yes. If the changes are on the forwarders - you need to restart the forwarder, but it has to be a heavy forwarder. Index time transforms don't work on universal forwarders, and search time extractions don't make sense on a forwarder. With regard to forwarders, if the changes are part of a deployed app configured to restart after changes, then this would happen automatically.
You actually do as per the splunk documentation,
props.conf.example
The following are example props.conf configurations. Configure properties for your data.
To use one or more of these configurations, copy the configuration block into
props.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to enable configurations.
No. Not if the changes are search time transforms on the indexer. You should be able to issue the following command in a splunkweb search:| extract reload=t, this is an old instruction, but it is still in the documentation (it can't hurt). Search time transform instructions are read when the search is run.
Yes, if it is an index time transform on the indexer.
Yes. If the changes are on the forwarders - you need to restart the forwarder, but it has to be a heavy forwarder. Index time transforms don't work on universal forwarders, and search time extractions don't make sense on a forwarder. With regard to forwarders, if the changes are part of a deployed app configured to restart after changes, then this would happen automatically.
Index time transforms don't work on universal forwarders
Not true. With Splunk 7, at least, you can have universal forwarders do index work simply by adding force_local_processing = true
to the forwarder's props.conf
[<sourcetype>]
and [source::<source>]
stanzas.
I'm not the one that voted it down. i just voted it up one level.
Shall I delete my answer? The -2 is making me look bad.
Yes, trying to exclude certain events from being indexed... I've been working on this for a few days. Continually tweaking props.conf, transforms.conf, then restarting... trying to prevent certain events from being indexed. I'll get it eventually...
Don't feel bad for being new.
You are correct, if you are preventing items from being indexed, then it is an index time transform.
Let me guess, sending something to nullQueue?
Hate to be such a newbie, but how do I tell if it's index-time or search-time? My guess is that it's index-time since the stanza that I'm working with deals with preventing certain events from getting indexed in the first place.
transforms.conf can hold both index-time and search-time settings, so it's not possible to to say just from the filename if you will need to restart or not.
Thanks for the corrections. So this is a transforms.conf for my OPSECLEA configuration on my main Splunk indexer (not forwarder) which I think is real-time indexing. So do I need to restart after a change to \data\splunk\apps\Splunk_TA_opseclea_linux22\local\transforms.conf?
Additionally, extract reload=t
is no longer required (it hasn't been since at least 4.x I think) - all searches now start their own process and read their configuration upon start, so they will automatically get the latest available configuration.
This is incorrect. Whether you need to restart or not depends on if the change is related to a index-time setting or search-time setting. Index-time settings include line breaking, timestamp parsing among other things. Search-time settings relate mainly to field extraction and creation. This has nothing to do with whether the Splunk instance is an indexer or not.