Re: Props and the Magic 8

dolj · ‎11-25-2024

with respect to the Magic 8 should you always try to include them in the props of your various source types for a data set? I am slightly confused as if this is a best practice why most pre-configured TAs on splunkbase include the magic 3 or 4 what happened to the rest of them? Is it always a best practice to include all 8?

sainag_splunk · ‎11-25-2024

Yes, it's recommended as a best practice to implement all Magic 8 configs because they establish consistency and reliability in data onboarding. While most TAs start with Magic 6, adding the EVENT_BREAKER configs gives you better control over event distribution and parsing. Think of Magic 6 as the minimum standard, and Magic 8 as the complete package for optimal data handling.

The TAs can be updated with the additional configs when needed based on your specific deployment, but having all 8 from the start is generally ideal as it prevents potential data parsing issues down the line.

If this Helps, Please Upvote.

If this helps, Upvote!!!!
Together we make the Splunk Community stronger 

richgalloway · ‎11-25-2024

Yes, it is considered Best Practice to specify all of the Great/Magic 8 props every time. People are lazy, however, so TAs often include only the props that differ from the default settings.

---
If this reply helps you, Karma would be appreciated.

Props and the Magic 8

props.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

Join the Conversation