Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is my props.conf not working, but the same props.conf is working on some forwarders?

sathiyasun
Explorer
‎03-16-2017 01:28 PM

props.conf 

[log1]
BREAK_ONLY_BEFORE = \w+\s+\w+\s+\d+\s+\d+\:\d+\:\d+\s+\w+\s+\d+
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
pulldown_type = true

Below is my sample event, we need to break line after the first line.

Wed Mar 15 10:17:32 CDT 2017 ---------break the line
Config Path= /etc/httpd/conf/httpd.conf
Certificate Location= /etc/httpd/conf.d/com/com.crt
notBefore=Jul 6 00:00:00 2016 GMT
notAfter=Jul 6 23:59:59 2017 GMT
subject= /C=US/postalCode=00000/ST=Confgtyre/L=Norwalk/street=123 ABC Avenue/O=XYZ Services/OU=World Headquarters/OU=Issued through XYZ Services E-PKI Manager/OU=InstantSSL/CN=services.xYZ
issuer= /C=GB/ST=Greater Missouri/L=Salford/O=COMODO CA Limited/CN=DO XYZ Organization Validation Secure Server PA

I have written the regular expression to break the line but its not doing it.

\w+\s+\w+\s+\d+\s+\d+\:\d+\:\d+\s+\w+\s+\d+
0 Karma
Reply

lguinn2
Legend
‎03-16-2017 04:36 PM

These are parsing settings, and the Universal Forwarder does not parse. So this props.conf belongs on the indexer.

However, Heavy Forwarders do parse. So if you are using a Heavy Forwarder, the props.conf goes there.

But the best practice is the use the Universal Forwarder wherever possible.

0 Karma
Reply

sathiyasun
Explorer
‎03-17-2017 08:04 AM

Yes, we have the same props config in Indexer as well. Here the issue is the same props is working data from some of fw's data but it not working on some fw's.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...