Getting Data In

Understanding props.conf and when it gets used.

vessev
Path Finder

Hello All,

as far as i know splunk merges all probs.conf (All TAs, Apps, Add-ons) in one single probs.conf. Like the other conf also.
Values can be overwritten depending on the placement in the folder structure. (default/local ... system/default... etc/default .. etc.)

As far as i understand the probs.conf, it gets used many times in the process of an input processing. 4x ( DataPipeline )
I have inputs from a UDP Port:

[udp://1516]
connection_host = dns
index = net
sourcetype = syslog

Is it right that my probs.conf from Splunk_TA_juniper (see below) does not apply on this input ->
because of the [< spec>] = [juniper] which means that this stanza only apply to Input with the sourcetype=juniper? (See probs.conf doku search for: <sourcetype>, the source type of an event)

This is the global part of the probs.conf from the juniper TA:

###### Globals ######
## Apply the following properties to juniper data
[juniper]
SHOULD_LINEMERGE = false
# For load balancing on UF
EVENT_BREAKER_ENABLE = true
TRANSFORMS-force_info_for_juniper = force_host_for_netscreen_firewall,force_sourcetype_for_netscreen_firewall,force_sourcetype_for_juniper_nsm,force_sourcetype_for_juniper_nsm_idp,force_sourcetype_for_juniper_sslvpn,force_sourcetype_for_junos_firewall,force_sourcetype_for_juniper_idp,force_sourcetype_for_junos_idp,force_sourcetype_for_junos_aamw,force_sourcetype_for_junos_secintel

If i get everything right - the first stanza [juniper] defines that settings from this part in probs.conf for stanza [juniper] only apply if the INPUT stream has the sourcetype=juniper. If this is not the case the the stanza does nothing. So if i mess up with input sourcetypes this means that it could be possibile that a Splunk_TA_* does nothing..
At the mid of the probs the sources are also relevant but for this specific part is it mandatory that sourcetype is equal juniper?

I ask this very specific because i plan to not use the default input UDP Ports. Instead i want to use the syslog-ng which could mess up with sourcetypes AND sources.
That would mean for me that i have to look into every probs.conf for this kind of input to verify which input source or sourcetype it reacts? to make sure that the config applys to my data input.
If i'm wrong on sth please let me know.
I did my explanation a bit wider than it should. I looked very long in all docs and questions to extract this much of information.
So if there is no false claim than i could be a problem solver for someone else too.

Best regards,

Michele E.

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

You are correct, props.conf settings apply only to the sourcetype matching the stanza in which they are defined.

You do not need to look at every props.conf file. The Splunk btool command will do that for you. splunk btool props list juniper will show all of the [juniper] settings.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

You are correct, props.conf settings apply only to the sourcetype matching the stanza in which they are defined.

You do not need to look at every props.conf file. The Splunk btool command will do that for you. splunk btool props list juniper will show all of the [juniper] settings.

---
If this reply helps you, Karma would be appreciated.

vessev
Path Finder

I understand that command now - and i like it.

But your command did not helped me much and i tell you why.
If i do splunk btool inputs list juniper it would give me all existing [juniper] stanza defined in a inputs.conf.
In my example is no input defined. (many Splunk TAs do not have inputs.conf -> like the Splunk_Ta_juniper).
So i have to create one .. the question is which sourcetype and source should i define?
This is highly related to the TA i want to use. (For extracts etc.) so i have to look into the probs.conf.

There are many differences regarding the props.conf. A few examples:

Barracuda TA: does not have any requirement (source, sourcetype, hostname etc...) it applys on everything
TA-cisco_ios: Requires the input with a sourcetype=syslog
Splunk_TA_juniper: Requires the input with a sourcetype=juniper

If you want to forward or collect this input with a syslog-ng Server or universal forwarder you have to define the inputs.conf by yourself. This is why i needed to understant the props.conf and transforms.conf in order to define those inputs. It was necessary to understand which requirements those TAs have - and in my opinion regarding those kind of TAs its all written in the props.conf.

But again Thanks for your Help!

richgalloway
SplunkTrust
SplunkTrust

My error. I've correct the command.

---
If this reply helps you, Karma would be appreciated.
0 Karma

vessev
Path Finder

Thanks, i will try that!

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...