Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

props.conf not recursing all directories

pljulien
New Member
‎09-12-2013 12:00 PM

I'm trying to go down a line of directories to get the syslog files. The recursion works for year 2013. To make sure it works for other years copied 2013 files to 2012 and changed year in all in all files. When doing search with all time Splunk doesn't see 2012.

props.conf
[source:: HOSTS.../*.logfile
sourcetype = syslog
TIME_FORMAT = %m %d %H:%M:%D

Any assistance would be appreciated.

Tags (1)
0 Karma
Reply

mloven_splunk
Splunk Employee
Splunk Employee
‎09-12-2013 12:17 PM

Are you trying to define an input with your [source...] statement? Because that's wrong.

In a props.conf, the [source...] statement is meant only to define what group of events to apply the props to.

You'd want to create an inputs.conf with something like this in it:

[monitor:///HOSTS.../*.logfile]
sourcetype = syslog

And then, if your syslog is properly formatted, you won't even need a props.conf stanza for that.

0 Karma
Reply

mloven_splunk
Splunk Employee
Splunk Employee
‎09-12-2013 02:28 PM

Ok.

Is your TIME_FORMAT correct? The standard TIME_FORMAT for the syslog sourcetype is:

TIME_FORMAT = %b %d %H:%M:%S

Which expects a month abbreviation (i.e. Jun, Nov, etc), then the day. Yours expects a timestamp like 12 09 16:27:00, which seems odd.

0 Karma
Reply

pljulien
New Member
‎09-12-2013 02:12 PM

Data is in a file. In inputs.conf I have:

[monitor:///opt/splunk/data/test/HOSTS/.../*.logfile]
index=test
sourcetype = syslog

When I didn't have the props.conf my data was coming in as the date of file, so created a props.conf file, fat-fingered above. It is:

[source:///opt/splunk/data/HOSTS/.../*.logfile]
sourcetype = syslog
TIME_FORMAT = %d %m %H:%M:%S

The directory structure is - .../HOSTS//year/month/day.logfile. The 2 files configured as noted, only getting data for 2013 and not 2012. Search set to all time. Any suggestions on changes to this would be appreciated.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...