Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Setting custom sourcetypes on 'managed' universal forwarder

jcbrendsel
Path Finder
‎10-19-2011 08:28 AM

I struggling getting my props.conf to work now that i have moved to a universal forwarder.

On previous versions of the forwarder, I have had set sourcetypes based as follows in props.conf:

[source::.../home/coveapi/cdn/cloudfront/E1YQY7Y6N916UA...]
TZ = GMT
sourcetype = cloudfront_rtmp

That worked great, but was creating a management challenge as the number of machines grew each with their own custom sourcetypes.

To address this. I am attempting to use the configuration deployment capabilities of Splunk.

So, I created an app called 'forwarder' on the deployment server and added my custom props.conf above.

/opt/splunk/etc/deployment-apps/forwarder

And I created the appropriate stanzas in serverclass.conf to target the machine in question.

And I verified that the 'forwarder' app is getting deployed to the target machine.

The problem, however, is that my props.conf settings are now not being respected.

Do I need to be putting the config files in a different 'app'? Such as the 'search' app opr the SplunkUniversalForwarder app? Or are there rules that dictate in which order the configuration files of each of the managed 'apps' are processed?

[root@cove-cdn apps]$ pwd
/opt/splunkforwarder/etc/apps

[root@cove-cdn apps]$ ls -l
total 16
drwx------ 4 root root 4096 Oct 19 09:19 forwarder
drwxr-xr-x 5 root root 4096 Oct 17 10:40 learned
drwxr-xr-x 6 root root 4096 Oct 17 10:40 search
drwxr-xr-x 4 root root 4096 Apr 15  2011 SplunkUniversalForwarder

Any guidance would be greatly appreciated.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-19-2011 11:40 AM

The TZ setting must be on the indexer: http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F

0 Karma
Reply

jcbrendsel
Path Finder
‎10-19-2011 11:56 AM

That's not the question. THe problem is that the sourcetype is not getting set now that the props.conf is being menaged in the deployment by the deployment server instead of being configured manually on the forwarder box.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...