Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Setting custom sourcetypes on 'managed' universal forwarder

jcbrendsel
Path Finder
‎10-19-2011 08:28 AM

I struggling getting my props.conf to work now that i have moved to a universal forwarder.

On previous versions of the forwarder, I have had set sourcetypes based as follows in props.conf:

[source::.../home/coveapi/cdn/cloudfront/E1YQY7Y6N916UA...]
TZ = GMT
sourcetype = cloudfront_rtmp

That worked great, but was creating a management challenge as the number of machines grew each with their own custom sourcetypes.

To address this. I am attempting to use the configuration deployment capabilities of Splunk.

So, I created an app called 'forwarder' on the deployment server and added my custom props.conf above.

/opt/splunk/etc/deployment-apps/forwarder

And I created the appropriate stanzas in serverclass.conf to target the machine in question.

And I verified that the 'forwarder' app is getting deployed to the target machine.

The problem, however, is that my props.conf settings are now not being respected.

Do I need to be putting the config files in a different 'app'? Such as the 'search' app opr the SplunkUniversalForwarder app? Or are there rules that dictate in which order the configuration files of each of the managed 'apps' are processed?

[root@cove-cdn apps]$ pwd
/opt/splunkforwarder/etc/apps

[root@cove-cdn apps]$ ls -l
total 16
drwx------ 4 root root 4096 Oct 19 09:19 forwarder
drwxr-xr-x 5 root root 4096 Oct 17 10:40 learned
drwxr-xr-x 6 root root 4096 Oct 17 10:40 search
drwxr-xr-x 4 root root 4096 Apr 15  2011 SplunkUniversalForwarder

Any guidance would be greatly appreciated.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-19-2011 11:40 AM

The TZ setting must be on the indexer: http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F

0 Karma
Reply

jcbrendsel
Path Finder
‎10-19-2011 11:56 AM

That's not the question. THe problem is that the sourcetype is not getting set now that the props.conf is being menaged in the deployment by the deployment server instead of being configured manually on the forwarder box.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...