Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are manual edits to props.conf not taking effect in Splunk Light?

SKless
New Member
‎01-13-2016 01:31 AM

Hello guys,

I am new to splunk and I am having troubles in getting my changes to props.conf (from .../Splunk/etc/apps/search/local) to take effect in Splunk. I changed the values to my source type, but they stay like they were before.

I originally created that source type as a step while "adding data" in Splunk, via the "Set Source Type" fields, then I saved the created source type via "save as" under a name in category "Custom".

Then I found my created source type in the props.conf in .../Splunk/etc/apps/search/local and tried to manually edit it via text editor. After that, I restarted Splunk and wanted to add new data using my new (manually edited) source type, but unfortunately, the changes I manually edited did not take effect.

Any ideas please? Thank you in advance guys!

Please note:
- I am using Splunk Light
- I did restart Splunk (log out from Splunk Web session and then restart and login)

0 Karma
Reply

dgrubb_splunk
Splunk Employee
Splunk Employee
‎01-13-2016 10:33 AM

I would suggest using the btool to examine the configuration.

./splunk btool props list --debug

This will allow you to see if the configuration changes you are making based on file precedence would take affect.

0 Karma
Reply

somesoni2
Revered Legend
‎01-13-2016 10:24 AM

You would need to restart Splunk service (not logout and log in in SPlunk web). In windows you can use Run->services.msc and restart splunkd service OR you can use CLI to do that

WIndows:
YourSplunkDirecorty\bin\splunk.exe restart

Linux
YourSplunkDirectory/bin/splunk restart

0 Karma
Reply

SKless
New Member
‎01-14-2016 11:05 PM

Thank you for your answer! I was able to restart Splunk the way you described via CMD in Windows (as Admin).

However checking via splunk btool check --debug returned the message that it cannot open file to check in .../Splunk/etc/apps/search/local/props.conf. So it does not use my props.conf and most likely there is some inconsistency in props.conf. But I cannot get clues on why my props.conf seems to be inconsistent. Strange thing, it even returns this when using the (not manually edited) props.conf that I created by using the "Set Source Type" step in Splunk Web. So at least that should work fine, since I created it within Splunk Web. Any ideas?

Maybe it also helps to describe what I am trying to do:
- trying to read out XML, working fine so far, but I want to rename the fields in Splunk using aliases
- my props.conf looks like this:
*[D2_XML_Test]
CHARSET = UTF-8
DATETIME_CONFIG =
KV_MODE = xml
LINE_BREAKER =
NO_BINARY_CHECK = true
category = Custom
disabled = false
pulldown_type = true
BREAK_ONLY_BEFORE =
TIME_PREFIX =
FIELDALIAS-D2aliases = recordPayload.recordPayload.telephonyRecord.telephonyServiceUsage.nationalTelephonyServiceUsage.countryCode as ctry
*

So, in conclusion my question is 3-fold:

  1. Why does it say that it is unable to open my props.conf when I run btool?
  2. How exactly can I trace inconsistencies with my props.conf? How can I test whether changes to my props.conf work ok?
  3. Do you guys see anything wrong with my aliases in my props.conf?
0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎01-15-2016 04:04 AM

I think you need to check the permissions on disk of the file and make sure the user running splunk can read the file.

Btool is the answer to 2 and your props looks fine.

0 Karma
Reply

SKless
New Member
‎01-15-2016 06:09 AM

Ok, thank you all VERY much for your help guys!

I think I found the reason. I seem to have tried to open and manually edit the props.conf WHILE it was being used by the Splunk software. I believe it somehow caused an error and from then onwards my defined source type was internally flagged as corrupt. I could not even get it to work after reloading Splunk. I completely deleted my props.conf and made a new one. Seems to work fine so far. From now on, I will make sure not to open it while it is being processed by Splunk.

At least that is how I think it caused problems for me. I will report back if I still encounter problems. Regards to all and thanks for helping! Great Splunk community obviously.

-SKless

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...