Getting Data In

Splunk Enterprise: index-time parsing configuration creating/ editing of "props.conf"

sspomeplus
New Member

Hello,

  1. Based on Splunk recommendation the best path for this file"props.conf" is: $SPLUNK_HOME/etc/system/local If is not there then must be created.

In our case if in: $SPLUNK_HOME/etc/apps/ there are multiple files "props.conf", the props.conf naming is only for event parsing point of view, doesn't matter if there are a lot of files with the same name but different content?

  1. The best way will be to create in: $SPLUNK_HOME/etc/system/local the file "props.conf" with the below content: [MySourcetype] TIME_PREFIX = ^ TIME_FORMAT = %Y-%m-%d %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD = 19 SHOULD_LINEMERGE = False LINE_BREAKER = ([\n\r]+)(\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}) TRUNCATE = 999999 ANNOTATE_PUNCT = false

QUESTIONS:
??? Any examples/ suggestion regarding the "props.conf" content?
??? This file "props.conf" must be modified only on SH (SearchHead) or also on indexers?

Regards,

0 Karma
1 Solution

somesoni2
Revered Legend

1) Not sure where you read the recommendation for keeping the configurations in etc/system/local. In my opinion, the configurations should be kept away from default locations (etc/system/local , etc/apps/search/local) and should be kept in custom, deployable apps. For easy maintenance/deployment.
2) The props.conf content that you provided is for event parsing/time stamp recognition. That activity happens in Indexers (if your source/universal forwarder directly sends data to indexers) OR Heavy forwarder (if data is collected from heavy forwarder OR sent to heavy forwarder from your source/universal forwarder), so it should be deployed/created in Indexer/Heavy forwarder, based on your topology.

The search head props.conf should only contain field extractions/transformations applicable at search time.

Hope this helps.

View solution in original post

0 Karma

sspomeplus
New Member

Not clear!

1) Per your recommendation the correct path will be: "/opt/splunk/etc/deployment-apps".
- In our case there is nothing present regarding "props.conf" in SH (SearchHead vs Indexers).

2) UF sends data directly to Indexers.
a. In this case i must apply this "props.conf" file in Indexers withthe below format:

[MySourcetype]
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 19
SHOULD_LINEMERGE = False
LINE_BREAKER = ([\n\r]+)(\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})
TRUNCATE = 999999
ANNOTATE_PUNCT = false

b. SearchHead, file "props.conf" it must look like below?:
- Where will be the correct location of file "props.conf" ?
- It's there a way to configure in the WEB GUI for Splunk 4 this file with the parameters?
- The search head "props.conf" should only contain field extractions/transformations applicable at search time. Where i could find some examples?

c. For "transforms.conf" what is the best practices? (I've read the documentations is unclear).

0 Karma

somesoni2
Revered Legend

1) Not sure where you read the recommendation for keeping the configurations in etc/system/local. In my opinion, the configurations should be kept away from default locations (etc/system/local , etc/apps/search/local) and should be kept in custom, deployable apps. For easy maintenance/deployment.
2) The props.conf content that you provided is for event parsing/time stamp recognition. That activity happens in Indexers (if your source/universal forwarder directly sends data to indexers) OR Heavy forwarder (if data is collected from heavy forwarder OR sent to heavy forwarder from your source/universal forwarder), so it should be deployed/created in Indexer/Heavy forwarder, based on your topology.

The search head props.conf should only contain field extractions/transformations applicable at search time.

Hope this helps.

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...