Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Which props.conf for my .csv ?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I have a .csv file without header but with fixed fields which i would like to send to my Splunk server with the universal forwarder on the according Linux host.
I understand that i need to configure the inputs.conf on the universal forwarder and that i need to define the .csv on the indexer in props.conf like following:
[mycsv]
FIELD_DELIMITER=,
FIELD_NAMES=field1,field2,field3,field4
However, it's not clear to me in which props.conf i need to define the above definition. I have found the following props.conf on my Indexer/Splunk server?
/opt/splunk/etc/apps/splunk_internal_metrics/default/props.conf
/opt/splunk/etc/apps/Splunk_TA_nix/default/props.conf
/opt/splunk/etc/apps/search/default/props.conf
/opt/splunk/etc/apps/SplunkLightForwarder/default/props.conf
/opt/splunk/etc/apps/Splunk_TA_apache/default/props.conf
/opt/splunk/etc/apps/sample_app/default/props.conf
/opt/splunk/etc/apps/legacy/default/props.conf
/opt/splunk/etc/apps/splunk_instrumentation/default/props.conf
/opt/splunk/etc/apps/splunk_archiver/default/props.conf
/opt/splunk/etc/apps/splunk_monitoring_console/default/props.conf
/opt/splunk/etc/apps/learned/local/props.conf
/opt/splunk/etc/system/default/props.conf
Do i need to copy the props.conf from: /opt/splunk/etc/apps/search/default/props.conf
to: /opt/splunk/etc/system/default/props.conf and then modify it with my above [mycsv] definition?
Or do i need to modify the props.conf in: /opt/splunk/etc/apps/search/default/props.conf and leave it there?
Or do i need to modify the props.conf in: /opt/splunk/etc/apps/Splunk_TA_nix/default/props.conf?
Or is it any of the other props.conf?
I only want to search the index after with the standard search in Splunk.
Kind Regards and thanks in advance for any help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Never modify any configuration file in a default directory.
Do not copy an entire .conf file from default to local. Copy only the stanza name(s) and the attribute(s) you wish to change.
You can put the change in any app, but it should go in the app that is intended for that type of data. If you have your own data type then you can (and should) create your own app and put the .conf files there.
Putting custom config files in the Search & Reporting app ("search" directory) may cause problems in the future.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Never modify any configuration file in a default directory.
Do not copy an entire .conf file from default to local. Copy only the stanza name(s) and the attribute(s) you wish to change.
You can put the change in any app, but it should go in the app that is intended for that type of data. If you have your own data type then you can (and should) create your own app and put the .conf files there.
Putting custom config files in the Search & Reporting app ("search" directory) may cause problems in the future.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot @richgalloway
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fastest way to demo Observability
September Community Champions: A Shoutout to Our Contributors!
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
