Installation
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit the configuration files?

bhupinder_singh
Explorer
‎06-20-2012 05:04 PM

I am new to splunk. Could anyone please tell me how should I proceed in editing the .conf files in local directory? Are these changes critical to the parsing of the log files before they are indexed for search? I know that the inputs.conf and sourcetypes.conf has to be changed but I am not getting the required fields as per the log files, even if I do not make any changes at all.

Thanks.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎06-20-2012 06:19 PM

The best place to start is here.

http://docs.splunk.com/Documentation/Splunk/5.0/Tutorial/GetthesampledataintoSplunk

For the basics of adding data to Splunk this will make changes to the config files for you. For more advanced data there are examples and details in our online documentation as well.

View solution in original post

Reply
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎06-20-2012 06:19 PM

The best place to start is here.

http://docs.splunk.com/Documentation/Splunk/5.0/Tutorial/GetthesampledataintoSplunk

For the basics of adding data to Splunk this will make changes to the config files for you. For more advanced data there are examples and details in our online documentation as well.

Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎06-21-2012 02:52 PM

I would recommend trying the field extractor. That might help you get some of the extractions that aren't discovered automatically.

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/ExtractfieldsinteractivelywithIFX

0 Karma
Reply
Solved! Jump to solution

bhupinder_singh
Explorer
‎06-21-2012 01:47 PM

I have read this in a good many places that rather than playing with config files beforehand, it is always better to do it after providing the input and parsing , i.e. - dynamic searching. This may result in addition of fields when we use regex on the log event entries in the index obtained from Splunk.
But making changes with regex for a particular field, then obtaining one of use and then saving it is also not an easy task, especially if you are not good at regex.

Thanks.

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎06-20-2012 08:45 PM

Usually parsing rules and field extraction (index time and search-time) are in props.conf organized per sourcetype

For index time, add it on the indexer, for search-time, on the search-head (if any).

Remarks :

  • never edit the /default/ always create a new file in /local/ to contains your new settings and modifications.
  • If you edit a config file, restart the splunk instance to apply.
0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top