I am new to splunk and I am having troubles in getting my changes to props.conf (from
.../Splunk/etc/apps/search/local) to take effect in Splunk. I changed the values to my source type, but they stay like they were before.
I originally created that source type as a step while "adding data" in Splunk, via the "Set Source Type" fields, then I saved the created source type via "save as" under a name in category "Custom".
Then I found my created source type in the props.conf in
.../Splunk/etc/apps/search/local and tried to manually edit it via text editor. After that, I restarted Splunk and wanted to add new data using my new (manually edited) source type, but unfortunately, the changes I manually edited did not take effect.
Any ideas please? Thank you in advance guys!
- I am using Splunk Light
- I did restart Splunk (log out from Splunk Web session and then restart and login)
I would suggest using the btool to examine the configuration.
./splunk btool props list --debug
This will allow you to see if the configuration changes you are making based on file precedence would take affect.
You would need to restart Splunk service (not logout and log in in SPlunk web). In windows you can use Run->services.msc and restart splunkd service OR you can use CLI to do that
Thank you for your answer! I was able to restart Splunk the way you described via CMD in Windows (as Admin).
However checking via splunk btool check --debug returned the message that it cannot open file to check in
.../Splunk/etc/apps/search/local/props.conf. So it does not use my props.conf and most likely there is some inconsistency in props.conf. But I cannot get clues on why my props.conf seems to be inconsistent. Strange thing, it even returns this when using the (not manually edited) props.conf that I created by using the "Set Source Type" step in Splunk Web. So at least that should work fine, since I created it within Splunk Web. Any ideas?
Maybe it also helps to describe what I am trying to do:
- trying to read out XML, working fine so far, but I want to rename the fields in Splunk using aliases
props.conf looks like this:
CHARSET = UTF-8
KV_MODE = xml
NO_BINARY_CHECK = true
category = Custom
disabled = false
pulldown_type = true
FIELDALIAS-D2aliases = recordPayload.recordPayload.telephonyRecord.telephonyServiceUsage.nationalTelephonyServiceUsage.countryCode as ctry
So, in conclusion my question is 3-fold:
Ok, thank you all VERY much for your help guys!
I think I found the reason. I seem to have tried to open and manually edit the props.conf WHILE it was being used by the Splunk software. I believe it somehow caused an error and from then onwards my defined source type was internally flagged as corrupt. I could not even get it to work after reloading Splunk. I completely deleted my props.conf and made a new one. Seems to work fine so far. From now on, I will make sure not to open it while it is being processed by Splunk.
At least that is how I think it caused problems for me. I will report back if I still encounter problems. Regards to all and thanks for helping! Great Splunk community obviously.