Solved: Splunk Enterprise: index-time parsing configuratio...

sspomeplus · ‎07-29-2016

Hello,

Based on Splunk recommendation the best path for this file"props.conf" is: $SPLUNK_HOME/etc/system/local If is not there then must be created.

In our case if in: $SPLUNK_HOME/etc/apps/ there are multiple files "props.conf", the props.conf naming is only for event parsing point of view, doesn't matter if there are a lot of files with the same name but different content?

The best way will be to create in: $SPLUNK_HOME/etc/system/local the file "props.conf" with the below content: [MySourcetype] TIME_PREFIX = ^ TIME_FORMAT = %Y-%m-%d %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD = 19 SHOULD_LINEMERGE = False LINE_BREAKER = ([\n\r]+)(\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}) TRUNCATE = 999999 ANNOTATE_PUNCT = false

QUESTIONS:
??? Any examples/ suggestion regarding the "props.conf" content?
??? This file "props.conf" must be modified only on SH (SearchHead) or also on indexers?

Regards,

somesoni2 · ‎07-29-2016

1) Not sure where you read the recommendation for keeping the configurations in etc/system/local. In my opinion, the configurations should be kept away from default locations (etc/system/local , etc/apps/search/local) and should be kept in custom, deployable apps. For easy maintenance/deployment.
2) The props.conf content that you provided is for event parsing/time stamp recognition. That activity happens in Indexers (if your source/universal forwarder directly sends data to indexers) OR Heavy forwarder (if data is collected from heavy forwarder OR sent to heavy forwarder from your source/universal forwarder), so it should be deployed/created in Indexer/Heavy forwarder, based on your topology.

The search head props.conf should only contain field extractions/transformations applicable at search time.

Hope this helps.

View solution in original post

sspomeplus · ‎08-01-2016

Not clear!

1) Per your recommendation the correct path will be: "/opt/splunk/etc/deployment-apps".
- In our case there is nothing present regarding "props.conf" in SH (SearchHead vs Indexers).

2) UF sends data directly to Indexers.
a. In this case i must apply this "props.conf" file in Indexers withthe below format:

[MySourcetype]
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 19
SHOULD_LINEMERGE = False
LINE_BREAKER = ([\n\r]+)(\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})
TRUNCATE = 999999
ANNOTATE_PUNCT = false

b. SearchHead, file "props.conf" it must look like below?:
- Where will be the correct location of file "props.conf" ?
- It's there a way to configure in the WEB GUI for Splunk 4 this file with the parameters?
- The search head "props.conf" should only contain field extractions/transformations applicable at search time. Where i could find some examples?

c. For "transforms.conf" what is the best practices? (I've read the documentations is unclear).

somesoni2 · ‎07-29-2016

1) Not sure where you read the recommendation for keeping the configurations in etc/system/local. In my opinion, the configurations should be kept away from default locations (etc/system/local , etc/apps/search/local) and should be kept in custom, deployable apps. For easy maintenance/deployment.
2) The props.conf content that you provided is for event parsing/time stamp recognition. That activity happens in Indexers (if your source/universal forwarder directly sends data to indexers) OR Heavy forwarder (if data is collected from heavy forwarder OR sent to heavy forwarder from your source/universal forwarder), so it should be deployed/created in Indexer/Heavy forwarder, based on your topology.

The search head props.conf should only contain field extractions/transformations applicable at search time.

Hope this helps.

Splunk Enterprise: index-time parsing configuration creating/ editing of "props.conf"

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio