Hello,
In our case if in: $SPLUNK_HOME/etc/apps/ there are multiple files "props.conf", the props.conf naming is only for event parsing point of view, doesn't matter if there are a lot of files with the same name but different content?
QUESTIONS:
??? Any examples/ suggestion regarding the "props.conf" content?
??? This file "props.conf" must be modified only on SH (SearchHead) or also on indexers?
Regards,
1) Not sure where you read the recommendation for keeping the configurations in etc/system/local. In my opinion, the configurations should be kept away from default locations (etc/system/local , etc/apps/search/local) and should be kept in custom, deployable apps. For easy maintenance/deployment.
2) The props.conf content that you provided is for event parsing/time stamp recognition. That activity happens in Indexers (if your source/universal forwarder directly sends data to indexers) OR Heavy forwarder (if data is collected from heavy forwarder OR sent to heavy forwarder from your source/universal forwarder), so it should be deployed/created in Indexer/Heavy forwarder, based on your topology.
The search head props.conf should only contain field extractions/transformations applicable at search time.
Hope this helps.
Not clear!
1) Per your recommendation the correct path will be: "/opt/splunk/etc/deployment-apps".
- In our case there is nothing present regarding "props.conf" in SH (SearchHead vs Indexers).
2) UF sends data directly to Indexers.
a. In this case i must apply this "props.conf" file in Indexers withthe below format:
[MySourcetype]
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 19
SHOULD_LINEMERGE = False
LINE_BREAKER = ([\n\r]+)(\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})
TRUNCATE = 999999
ANNOTATE_PUNCT = false
b. SearchHead, file "props.conf" it must look like below?:
- Where will be the correct location of file "props.conf" ?
- It's there a way to configure in the WEB GUI for Splunk 4 this file with the parameters?
- The search head "props.conf" should only contain field extractions/transformations applicable at search time. Where i could find some examples?
c. For "transforms.conf" what is the best practices? (I've read the documentations is unclear).
1) Not sure where you read the recommendation for keeping the configurations in etc/system/local. In my opinion, the configurations should be kept away from default locations (etc/system/local , etc/apps/search/local) and should be kept in custom, deployable apps. For easy maintenance/deployment.
2) The props.conf content that you provided is for event parsing/time stamp recognition. That activity happens in Indexers (if your source/universal forwarder directly sends data to indexers) OR Heavy forwarder (if data is collected from heavy forwarder OR sent to heavy forwarder from your source/universal forwarder), so it should be deployed/created in Indexer/Heavy forwarder, based on your topology.
The search head props.conf should only contain field extractions/transformations applicable at search time.
Hope this helps.