as far as i know splunk merges all probs.conf (All TAs, Apps, Add-ons) in one single probs.conf. Like the other conf also.
Values can be overwritten depending on the placement in the folder structure. (default/local ... system/default... etc/default .. etc.)
As far as i understand the probs.conf, it gets used many times in the process of an input processing. 4x ( DataPipeline )
I have inputs from a UDP Port:
[udp://1516] connection_host = dns index = net sourcetype = syslog
Is it right that my probs.conf from SplunkTAjuniper (see below) does not apply on this input ->
because of the [< spec>] =
[juniper] which means that this stanza only apply to Input with the sourcetype=juniper? (See probs.conf doku search for:
<sourcetype>, the source type of an event)
This is the global part of the probs.conf from the juniper TA:
###### Globals ###### ## Apply the following properties to juniper data [juniper] SHOULD_LINEMERGE = false # For load balancing on UF EVENT_BREAKER_ENABLE = true TRANSFORMS-force_info_for_juniper = force_host_for_netscreen_firewall,force_sourcetype_for_netscreen_firewall,force_sourcetype_for_juniper_nsm,force_sourcetype_for_juniper_nsm_idp,force_sourcetype_for_juniper_sslvpn,force_sourcetype_for_junos_firewall,force_sourcetype_for_juniper_idp,force_sourcetype_for_junos_idp,force_sourcetype_for_junos_aamw,force_sourcetype_for_junos_secintel
If i get everything right - the first stanza
[juniper] defines that settings from this part in probs.conf for stanza
[juniper] only apply if the INPUT stream has the sourcetype=juniper. If this is not the case the the stanza does nothing. So if i mess up with input sourcetypes this means that it could be possibile that a SplunkTA* does nothing..
At the mid of the probs the sources are also relevant but for this specific part is it mandatory that sourcetype is equal juniper?
I ask this very specific because i plan to not use the default input UDP Ports. Instead i want to use the syslog-ng which could mess up with sourcetypes AND sources.
That would mean for me that i have to look into every probs.conf for this kind of input to verify which input source or sourcetype it reacts? to make sure that the config applys to my data input.
If i'm wrong on sth please let me know.
I did my explanation a bit wider than it should. I looked very long in all docs and questions to extract this much of information.
So if there is no false claim than i could be a problem solver for someone else too.
You are correct, props.conf settings apply only to the sourcetype matching the stanza in which they are defined.
You do not need to look at every props.conf file. The Splunk btool command will do that for you.
splunk btool props list juniper will show all of the
I understand that command now - and i like it.
But your command did not helped me much and i tell you why.
If i do
splunk btool inputs list juniper it would give me all existing [juniper] stanza defined in a inputs.conf.
In my example is no input defined. (many Splunk TAs do not have inputs.conf -> like the SplunkTajuniper).
So i have to create one .. the question is which sourcetype and source should i define?
This is highly related to the TA i want to use. (For extracts etc.) so i have to look into the probs.conf.
There are many differences regarding the props.conf. A few examples:
Barracuda TA: does not have any requirement (source, sourcetype, hostname etc...) it applys on everything
TA-ciscoios: Requires the input with a sourcetype=syslog
SplunkTA_juniper: Requires the input with a sourcetype=juniper
If you want to forward or collect this input with a syslog-ng Server or universal forwarder you have to define the inputs.conf by yourself. This is why i needed to understant the props.conf and transforms.conf in order to define those inputs. It was necessary to understand which requirements those TAs have - and in my opinion regarding those kind of TAs its all written in the props.conf.
But again Thanks for your Help!