Getting Data In

Is restart required after making changes to Props.conf and Transforms.conf?

echojacques
Builder

Do I need to restart Splunk after I make changes to Props.conf and Transforms.conf for the changes to take effect?

Thanks

1 Solution

lukejadamec
Super Champion

No. Not if the changes are search time transforms on the indexer. You should be able to issue the following command in a splunkweb search:| extract reload=t, this is an old instruction, but it is still in the documentation (it can't hurt). Search time transform instructions are read when the search is run.

Yes, if it is an index time transform on the indexer.

Yes. If the changes are on the forwarders - you need to restart the forwarder, but it has to be a heavy forwarder. Index time transforms don't work on universal forwarders, and search time extractions don't make sense on a forwarder. With regard to forwarders, if the changes are part of a deployed app configured to restart after changes, then this would happen automatically.

View solution in original post

linu1988
Champion

You actually do as per the splunk documentation,

props.conf.example

Version 5.0.4

The following are example props.conf configurations. Configure properties for your data.

To use one or more of these configurations, copy the configuration block into
props.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to enable configurations.

lukejadamec
Super Champion

No. Not if the changes are search time transforms on the indexer. You should be able to issue the following command in a splunkweb search:| extract reload=t, this is an old instruction, but it is still in the documentation (it can't hurt). Search time transform instructions are read when the search is run.

Yes, if it is an index time transform on the indexer.

Yes. If the changes are on the forwarders - you need to restart the forwarder, but it has to be a heavy forwarder. Index time transforms don't work on universal forwarders, and search time extractions don't make sense on a forwarder. With regard to forwarders, if the changes are part of a deployed app configured to restart after changes, then this would happen automatically.

DUThibault
Contributor

Index time transforms don't work on universal forwarders

Not true. With Splunk 7, at least, you can have universal forwarders do index work simply by adding force_local_processing = true to the forwarder's props.conf [<sourcetype>] and [source::<source>] stanzas.

0 Karma

echojacques
Builder

I'm not the one that voted it down. i just voted it up one level.

0 Karma

lukejadamec
Super Champion

Shall I delete my answer? The -2 is making me look bad.

0 Karma

echojacques
Builder

Yes, trying to exclude certain events from being indexed... I've been working on this for a few days. Continually tweaking props.conf, transforms.conf, then restarting... trying to prevent certain events from being indexed. I'll get it eventually...

0 Karma

lukejadamec
Super Champion

Don't feel bad for being new.

You are correct, if you are preventing items from being indexed, then it is an index time transform.
Let me guess, sending something to nullQueue?

0 Karma

echojacques
Builder

Hate to be such a newbie, but how do I tell if it's index-time or search-time? My guess is that it's index-time since the stanza that I'm working with deals with preventing certain events from getting indexed in the first place.

0 Karma

Ayn
Legend

transforms.conf can hold both index-time and search-time settings, so it's not possible to to say just from the filename if you will need to restart or not.

echojacques
Builder

Thanks for the corrections. So this is a transforms.conf for my OPSECLEA configuration on my main Splunk indexer (not forwarder) which I think is real-time indexing. So do I need to restart after a change to \data\splunk\apps\Splunk_TA_opseclea_linux22\local\transforms.conf?

0 Karma

Ayn
Legend

Additionally, extract reload=t is no longer required (it hasn't been since at least 4.x I think) - all searches now start their own process and read their configuration upon start, so they will automatically get the latest available configuration.

Ayn
Legend

This is incorrect. Whether you need to restart or not depends on if the change is related to a index-time setting or search-time setting. Index-time settings include line breaking, timestamp parsing among other things. Search-time settings relate mainly to field extraction and creation. This has nothing to do with whether the Splunk instance is an indexer or not.

Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...