Solved: Which props.conf for my .csv ?

hattori_hanzo · ‎04-09-2020

Hi

I have a .csv file without header but with fixed fields which i would like to send to my Splunk server with the universal forwarder on the according Linux host.

I understand that i need to configure the inputs.conf on the universal forwarder and that i need to define the .csv on the indexer in props.conf like following:

[mycsv]
FIELD_DELIMITER=,
FIELD_NAMES=field1,field2,field3,field4

However, it's not clear to me in which props.conf i need to define the above definition. I have found the following props.conf on my Indexer/Splunk server?

/opt/splunk/etc/apps/splunk_internal_metrics/default/props.conf
/opt/splunk/etc/apps/Splunk_TA_nix/default/props.conf
/opt/splunk/etc/apps/search/default/props.conf
/opt/splunk/etc/apps/SplunkLightForwarder/default/props.conf
/opt/splunk/etc/apps/Splunk_TA_apache/default/props.conf
/opt/splunk/etc/apps/sample_app/default/props.conf
/opt/splunk/etc/apps/legacy/default/props.conf
/opt/splunk/etc/apps/splunk_instrumentation/default/props.conf
/opt/splunk/etc/apps/splunk_archiver/default/props.conf
/opt/splunk/etc/apps/splunk_monitoring_console/default/props.conf
/opt/splunk/etc/apps/learned/local/props.conf
/opt/splunk/etc/system/default/props.conf

Do i need to copy the props.conf from: /opt/splunk/etc/apps/search/default/props.conf
to: /opt/splunk/etc/system/default/props.conf and then modify it with my above [mycsv] definition?

Or do i need to modify the props.conf in: /opt/splunk/etc/apps/search/default/props.conf and leave it there?

Or do i need to modify the props.conf in: /opt/splunk/etc/apps/Splunk_TA_nix/default/props.conf?

Or is it any of the other props.conf?

I only want to search the index after with the standard search in Splunk.

Kind Regards and thanks in advance for any help

richgalloway · ‎04-09-2020

Never modify any configuration file in a default directory.

Do not copy an entire .conf file from default to local. Copy only the stanza name(s) and the attribute(s) you wish to change.
You can put the change in any app, but it should go in the app that is intended for that type of data. If you have your own data type then you can (and should) create your own app and put the .conf files there.

Putting custom config files in the Search & Reporting app ("search" directory) may cause problems in the future.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎04-09-2020

Never modify any configuration file in a default directory.

Do not copy an entire .conf file from default to local. Copy only the stanza name(s) and the attribute(s) you wish to change.
You can put the change in any app, but it should go in the app that is intended for that type of data. If you have your own data type then you can (and should) create your own app and put the .conf files there.

Putting custom config files in the Search & Reporting app ("search" directory) may cause problems in the future.

---
If this reply helps you, Karma would be appreciated.

hattori_hanzo · ‎04-10-2020

Thanks a lot @richgalloway

to4kawa · ‎04-09-2020

see
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles

Which props.conf for my .csv ?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation