Solved: Re: Local props.conf and transforms.conf

balcv · ‎04-23-2020

When creating the local/props.conf and local/transforms.conf, do I need to copy the entire default/props.conf and default/transforms.conf files into local/ or do I simply start with blank files and add the sections I need?

wwhite12 · ‎04-23-2020

No you do not, local will always take precedence and will not be overwritten when updating the app. Whereas best practice with default is to leave alone as it will be overwritten if app is ever updated so you don't want to lose your changes by putting them there.
https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/Wheretofindtheconfigurationfiles#How_Splunk...

View solution in original post

wwhite12 · ‎04-23-2020

No you do not, local will always take precedence and will not be overwritten when updating the app. Whereas best practice with default is to leave alone as it will be overwritten if app is ever updated so you don't want to lose your changes by putting them there.
https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/Wheretofindtheconfigurationfiles#How_Splunk...

balcv · ‎04-23-2020

Thanks for that. Just wanted to make sure before I made too many changes.

esix_splunk · ‎04-23-2020

No you do not, only the settings you want to overwrite or change from the default.

There is a default stanza that all props inherit settings from, you can find that in default.

If you run btool --debug against your sourcetype, you will be able see all the settings that are applied and inherited from the default, along with which files Splunk is reading the configuration from. Good to always check!

Local props.conf and transforms.conf

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...