Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Splunk Enterprise: index-time parsing configuratio...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sspomeplus
New Member
07-29-2016
07:14 AM
Hello,
- Based on Splunk recommendation the best path for this file"props.conf" is: $SPLUNK_HOME/etc/system/local If is not there then must be created.
In our case if in: $SPLUNK_HOME/etc/apps/ there are multiple files "props.conf", the props.conf naming is only for event parsing point of view, doesn't matter if there are a lot of files with the same name but different content?
- The best way will be to create in: $SPLUNK_HOME/etc/system/local the file "props.conf" with the below content: [MySourcetype] TIME_PREFIX = ^ TIME_FORMAT = %Y-%m-%d %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD = 19 SHOULD_LINEMERGE = False LINE_BREAKER = ([\n\r]+)(\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}) TRUNCATE = 999999 ANNOTATE_PUNCT = false
QUESTIONS:
??? Any examples/ suggestion regarding the "props.conf" content?
??? This file "props.conf" must be modified only on SH (SearchHead) or also on indexers?
Regards,
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
07-29-2016
10:24 AM
1) Not sure where you read the recommendation for keeping the configurations in etc/system/local. In my opinion, the configurations should be kept away from default locations (etc/system/local , etc/apps/search/local) and should be kept in custom, deployable apps. For easy maintenance/deployment.
2) The props.conf content that you provided is for event parsing/time stamp recognition. That activity happens in Indexers (if your source/universal forwarder directly sends data to indexers) OR Heavy forwarder (if data is collected from heavy forwarder OR sent to heavy forwarder from your source/universal forwarder), so it should be deployed/created in Indexer/Heavy forwarder, based on your topology.
The search head props.conf should only contain field extractions/transformations applicable at search time.
Hope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sspomeplus
New Member
08-01-2016
05:20 AM
Not clear!
1) Per your recommendation the correct path will be: "/opt/splunk/etc/deployment-apps".
- In our case there is nothing present regarding "props.conf" in SH (SearchHead vs Indexers).
2) UF sends data directly to Indexers.
a. In this case i must apply this "props.conf" file in Indexers withthe below format:
[MySourcetype]
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 19
SHOULD_LINEMERGE = False
LINE_BREAKER = ([\n\r]+)(\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})
TRUNCATE = 999999
ANNOTATE_PUNCT = false
b. SearchHead, file "props.conf" it must look like below?:
- Where will be the correct location of file "props.conf" ?
- It's there a way to configure in the WEB GUI for Splunk 4 this file with the parameters?
- The search head "props.conf" should only contain field extractions/transformations applicable at search time. Where i could find some examples?
c. For "transforms.conf" what is the best practices? (I've read the documentations is unclear).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
07-29-2016
10:24 AM
1) Not sure where you read the recommendation for keeping the configurations in etc/system/local. In my opinion, the configurations should be kept away from default locations (etc/system/local , etc/apps/search/local) and should be kept in custom, deployable apps. For easy maintenance/deployment.
2) The props.conf content that you provided is for event parsing/time stamp recognition. That activity happens in Indexers (if your source/universal forwarder directly sends data to indexers) OR Heavy forwarder (if data is collected from heavy forwarder OR sent to heavy forwarder from your source/universal forwarder), so it should be deployed/created in Indexer/Heavy forwarder, based on your topology.
The search head props.conf should only contain field extractions/transformations applicable at search time.
Hope this helps.
Get Updates on the Splunk Community!
Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco
The Defining Technology Movement of Our Lifetime
The advent of agentic AI is arguably the defining technology ...
Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data
In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...
Your summer travels continue with new course releases
Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...
