Solved: Why is a props.conf change on a universal forwarde...

afmohamm · ‎06-09-2015

I have a Splunk 6.2.0 multisite cluster setup. Per site, there is one indexer, one search head and a master. I am pulling logs from a client on Windows using splunk universal forwarder, but I need to change the Line Break. I have defined a new sourcetype in props.conf and placed it on the client and restarted the splunkd on the client. I still don't see the changes when I search the data on the search head.

Do I have to define the sourcetype on the indexer as well? or just the indexer and not in the client?

Thanks

gfuente · ‎06-09-2015

Hello

The parsing stage happens in the indexers (or Heavy Forwarders) not in the Universal Forwarder

So that props must be placed in the indexers, in your case as you are using a cluster, then you need to deploy it through the cluster master, using master apps, and the apply cluster bundle command

Regards

View solution in original post

gfuente · ‎06-09-2015

Hello

The parsing stage happens in the indexers (or Heavy Forwarders) not in the Universal Forwarder

So that props must be placed in the indexers, in your case as you are using a cluster, then you need to deploy it through the cluster master, using master apps, and the apply cluster bundle command

Regards

Why is a props.conf change on a universal forwarder not being applied in a multisite Splunk 6.2.0 indexer clustering environment?

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services