Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are changes made in props.conf not taking effect?

prathapkcsc
Explorer
‎06-19-2017 11:36 AM

My sample data

AAA, 0.5%
BBB,0.10%
CCC,0.20%

my search looks like this

base search | rex ".*?(?[^,]+),\s*?(?.*)" | table name,value

My entire data comes in as a single event. I want to avoid this.

I am trying to split a single event into multiple events based on new-line delimiter.
my props.conf file have

[app_source]
DATETIME_CONFIG = current
NO_BINARY_CHECK = true
category = Custom
pulldown_type = true
LINE_BREAKER=([\r\n]+)
SHOULD_LINEMERGE=false
MUST_BREAK_AFTER=\%

i placed this props.conf inside the $SPLUNK_HOME/etc/system/local
i restarted the splunkd service.
still changes are not reflecting to my search.
can anyone provide some light?
I am new to Splunk. What to do to resolve this problem?

Reply

micahkemp
Champion
‎06-20-2017 07:35 AM

You show app_source as the stanza for your props.conf. Is that reflective of the source or sourcetype of your data? If the former, it should be source::app_source instead, as per props.conf:

<spec> can be:
1. <sourcetype>, the source type of an event.
2. host::<host>, where <host> is the host, or host-matching pattern, for an
                 event.
3. source::<source>, where <source> is the source, or source-matching
                     pattern, for an event.
4. rule::<rulename>, where <rulename> is a unique name of a source type
                     classification rule.
5. delayedrule::<rulename>, where <rulename> is a unique name of a delayed
                            source type classification rule.
                            These are only considered as a last resort
                            before generating a new source type based on the
                            source seen.
0 Karma
Reply

somesoni2
Revered Legend
‎06-19-2017 11:49 AM

The props.conf should be kept at the Indexer OR heavy forwarder (first Full Splunk Enterprise version) that comes first in the flow.

0 Karma
Reply

prathapkcsc
Explorer
‎06-19-2017 11:55 AM

i placed inside the $SPLUNK_HOME/etc/search/local.
Is this different from that indexer?

0 Karma
Reply

somesoni2
Revered Legend
‎06-19-2017 12:00 PM

Indexer is the server where data indexing happens. The $SPLUNK_HOME/etc/search/local directory is available in all Splunk instances. Since you're new to Splunk, start reading with distributed architecture of Splunk, to understand different server types, correlated with your Splunk infrastructure and then make the changes (same location) in the server designated as indexer:
http://docs.splunk.com/Documentation/Splunk/6.6.1/Capacity/ComponentsofaSplunkEnterprisedeployment

0 Karma
Reply

prathapkcsc
Explorer
‎06-19-2017 12:04 PM

according to my requirement where should i make necessary changes?
Could you please tell me

0 Karma
Reply

prathapkcsc
Explorer
‎06-19-2017 12:06 PM

can i store props.conf inside $SPLUNK_HOME/var/lib/splunk/defaultdb/db/* this path?

0 Karma
Reply

somesoni2
Revered Legend
‎06-19-2017 12:13 PM

The path is not the problem, it which server. I already provided you the name of the server (indexer/Heavy forwarder) but I can't tell you more specifically as I don't know your environment. How many Splunk servers you have? The server where you're monitoring the file (inputs.conf I assume), does it have Splunk Enterprise or Universal Forwarder installed?

Are you the Splunk admin for your environment? If not, you can get these answered by your admin.

Also, $SPLUNK_HOME/var/lib/splunk/defaultdb/db/* is the path for storing data, DO NOT Place anything there.

0 Karma
Reply

prathapkcsc
Explorer
‎06-19-2017 12:18 PM

I installed a windows desktop application.I don't have any forwarders like universal, heavy forwarder. I am trying to learn this , but got stuck here.

0 Karma
Reply

somesoni2
Revered Legend
‎06-19-2017 12:24 PM

Ok.. so you're working out of a Standalone box (which performs all roles of search head, indexer, heavy forwarder). So if you've placed the props.conf in $SPLUNK_HOME/etc/system/local, it's placed in correct location. Keep in mind that a data once indexed will not get updated even if you change the event processing configuration. The new configuration will only be applicable for any new data that will get ingested. Did you upload new data? (old data will remain as it is. If you're just testing, delete all old data and re-index the file).

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...