Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why props.conf configurations not taking effect?

ankireddy007
Path Finder
‎07-21-2014 12:01 AM

Hi,

I am receiving syslog data from various type of devices, but all are on udp:514. I need to overwrite the sourcetype based on Host IP address. Following are the configurations I did, but this is not taking effective. My search result shows sourcetype as [syslog] only.
Can you please help me where I am doing the mistake.

Configurations made in $SPLUNK_HOME/etc/system/local directory

    inputs.conf
        [udp://514]
        connection_host = ip
        source = udp_514
        sourcetype = syslog

    props.conf
        [host::10\.0\.6\.23]
        sourcetype = websense

        [host::10\.0\.6\.113]
        sourcetype = cisco:ios
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

strive
Influencer
‎07-21-2014 12:59 AM

This link will help you

http://answers.splunk.com/answers/3687/host-stanza-in-propsconf-not-being-honored-for-udp514-data-so...

You set the sourcetype in transforms.conf and then use that in props.conf file

View solution in original post

Reply
Solved! Jump to solution
Solution

strive
Influencer
‎07-21-2014 12:59 AM

This link will help you

http://answers.splunk.com/answers/3687/host-stanza-in-propsconf-not-being-honored-for-udp514-data-so...

You set the sourcetype in transforms.conf and then use that in props.conf file

Reply
Solved! Jump to solution

strive
Influencer
‎07-21-2014 03:40 AM

Check the sourcetype configuration section in http://docs.splunk.com/Documentation/Splunk/6.1.2/Admin/Propsconf

0 Karma
Reply
Solved! Jump to solution

ankireddy007
Path Finder
‎07-21-2014 02:18 AM

Thaks Strive, Its working.
But any idea why settings in props.conf alone (without transforms.conf) not working.

0 Karma
Reply
Solved! Jump to solution

ankireddy007
Path Finder
‎07-21-2014 12:56 AM

HI Strive,

Here no forwarders in this deployment, as all syslog devices sending data on udp:514. I have splunk indexer acting as syslog server to receive on udp:514.
All configurations made in Splunk INDEXER. (system/local directory)
Yes I am seeing different hosts (IPs) on search

Thansk, Anki

0 Karma
Reply
Solved! Jump to solution

strive
Influencer
‎07-21-2014 12:51 AM

Where do you have your props.conf? Is it on forwarder or indexer? what type of forwarder are you using? In your search results are you seeing different IP addresses as hosts?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...