Getting Data In

Why are manual edits to props.conf not taking effect in Splunk Light?

SKless
New Member

Hello guys,

I am new to splunk and I am having troubles in getting my changes to props.conf (from .../Splunk/etc/apps/search/local) to take effect in Splunk. I changed the values to my source type, but they stay like they were before.

I originally created that source type as a step while "adding data" in Splunk, via the "Set Source Type" fields, then I saved the created source type via "save as" under a name in category "Custom".

Then I found my created source type in the props.conf in .../Splunk/etc/apps/search/local and tried to manually edit it via text editor. After that, I restarted Splunk and wanted to add new data using my new (manually edited) source type, but unfortunately, the changes I manually edited did not take effect.

Any ideas please? Thank you in advance guys!

Please note:
- I am using Splunk Light
- I did restart Splunk (log out from Splunk Web session and then restart and login)

0 Karma

dgrubb_splunk
Splunk Employee
Splunk Employee

I would suggest using the btool to examine the configuration.

./splunk btool props list --debug

This will allow you to see if the configuration changes you are making based on file precedence would take affect.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You would need to restart Splunk service (not logout and log in in SPlunk web). In windows you can use Run->services.msc and restart splunkd service OR you can use CLI to do that

WIndows:
YourSplunkDirecorty\bin\splunk.exe restart

Linux
YourSplunkDirectory/bin/splunk restart

0 Karma

SKless
New Member

Thank you for your answer! I was able to restart Splunk the way you described via CMD in Windows (as Admin).

However checking via splunk btool check --debug returned the message that it cannot open file to check in .../Splunk/etc/apps/search/local/props.conf. So it does not use my props.conf and most likely there is some inconsistency in props.conf. But I cannot get clues on why my props.conf seems to be inconsistent. Strange thing, it even returns this when using the (not manually edited) props.conf that I created by using the "Set Source Type" step in Splunk Web. So at least that should work fine, since I created it within Splunk Web. Any ideas?

Maybe it also helps to describe what I am trying to do:
- trying to read out XML, working fine so far, but I want to rename the fields in Splunk using aliases
- my props.conf looks like this:
*[D2_XML_Test]
CHARSET = UTF-8
DATETIME_CONFIG =
KV_MODE = xml
LINE_BREAKER =
NO_BINARY_CHECK = true
category = Custom
disabled = false
pulldown_type = true
BREAK_ONLY_BEFORE =
TIME_PREFIX =
FIELDALIAS-D2aliases = recordPayload.recordPayload.telephonyRecord.telephonyServiceUsage.nationalTelephonyServiceUsage.countryCode as ctry
*

So, in conclusion my question is 3-fold:

  1. Why does it say that it is unable to open my props.conf when I run btool?
  2. How exactly can I trace inconsistencies with my props.conf? How can I test whether changes to my props.conf work ok?
  3. Do you guys see anything wrong with my aliases in my props.conf?
0 Karma

esix_splunk
Splunk Employee
Splunk Employee

I think you need to check the permissions on disk of the file and make sure the user running splunk can read the file.

Btool is the answer to 2 and your props looks fine.

0 Karma

SKless
New Member

Ok, thank you all VERY much for your help guys!

I think I found the reason. I seem to have tried to open and manually edit the props.conf WHILE it was being used by the Splunk software. I believe it somehow caused an error and from then onwards my defined source type was internally flagged as corrupt. I could not even get it to work after reloading Splunk. I completely deleted my props.conf and made a new one. Seems to work fine so far. From now on, I will make sure not to open it while it is being processed by Splunk.

At least that is how I think it caused problems for me. I will report back if I still encounter problems. Regards to all and thanks for helping! Great Splunk community obviously.

-SKless

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...