Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk Enterprise: index-time parsing configuration creating/ editing of "props.conf"

sspomeplus
New Member
‎07-29-2016 07:14 AM

Hello,

  1. Based on Splunk recommendation the best path for this file"props.conf" is: $SPLUNK_HOME/etc/system/local If is not there then must be created.

In our case if in: $SPLUNK_HOME/etc/apps/ there are multiple files "props.conf", the props.conf naming is only for event parsing point of view, doesn't matter if there are a lot of files with the same name but different content?

  1. The best way will be to create in: $SPLUNK_HOME/etc/system/local the file "props.conf" with the below content: [MySourcetype] TIME_PREFIX = ^ TIME_FORMAT = %Y-%m-%d %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD = 19 SHOULD_LINEMERGE = False LINE_BREAKER = ([\n\r]+)(\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}) TRUNCATE = 999999 ANNOTATE_PUNCT = false

QUESTIONS:
??? Any examples/ suggestion regarding the "props.conf" content?
??? This file "props.conf" must be modified only on SH (SearchHead) or also on indexers?

Regards,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-29-2016 10:24 AM

1) Not sure where you read the recommendation for keeping the configurations in etc/system/local. In my opinion, the configurations should be kept away from default locations (etc/system/local , etc/apps/search/local) and should be kept in custom, deployable apps. For easy maintenance/deployment.
2) The props.conf content that you provided is for event parsing/time stamp recognition. That activity happens in Indexers (if your source/universal forwarder directly sends data to indexers) OR Heavy forwarder (if data is collected from heavy forwarder OR sent to heavy forwarder from your source/universal forwarder), so it should be deployed/created in Indexer/Heavy forwarder, based on your topology.

The search head props.conf should only contain field extractions/transformations applicable at search time.

Hope this helps.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

sspomeplus
New Member
‎08-01-2016 05:20 AM

Not clear!

1) Per your recommendation the correct path will be: "/opt/splunk/etc/deployment-apps".
- In our case there is nothing present regarding "props.conf" in SH (SearchHead vs Indexers).

2) UF sends data directly to Indexers.
a. In this case i must apply this "props.conf" file in Indexers withthe below format:

[MySourcetype]
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 19
SHOULD_LINEMERGE = False
LINE_BREAKER = ([\n\r]+)(\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})
TRUNCATE = 999999
ANNOTATE_PUNCT = false

b. SearchHead, file "props.conf" it must look like below?:
- Where will be the correct location of file "props.conf" ?
- It's there a way to configure in the WEB GUI for Splunk 4 this file with the parameters?
- The search head "props.conf" should only contain field extractions/transformations applicable at search time. Where i could find some examples?

c. For "transforms.conf" what is the best practices? (I've read the documentations is unclear).

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-29-2016 10:24 AM

1) Not sure where you read the recommendation for keeping the configurations in etc/system/local. In my opinion, the configurations should be kept away from default locations (etc/system/local , etc/apps/search/local) and should be kept in custom, deployable apps. For easy maintenance/deployment.
2) The props.conf content that you provided is for event parsing/time stamp recognition. That activity happens in Indexers (if your source/universal forwarder directly sends data to indexers) OR Heavy forwarder (if data is collected from heavy forwarder OR sent to heavy forwarder from your source/universal forwarder), so it should be deployed/created in Indexer/Heavy forwarder, based on your topology.

The search head props.conf should only contain field extractions/transformations applicable at search time.

Hope this helps.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...