Installation

How where to edit transforms.conf and props.conf

guentnergroup
Explorer

Hello, 

I was wondering where should I click to access this: /etc/system/default

I need to edit 

https://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides

 

Labels (1)
0 Karma

Vardhan
Path Finder

Hi @guentnergroup ,

Always create a config in the local directory. Never touch the config in the default directory.

You can create and  edit props and transforms in two places.

1)Either create a props & trasforms in /etc/system/local

2) Are create a App in /etc/apps/<appname>/local/  and edit the files here.

 

soutamo
SplunkTrust
SplunkTrust
My suggestion is use always a app for configuration. It’s much easier to manage those that way than editing files in system/local.

guentnergroup
Explorer

Thanks both, but my question is where to do that? From GUI? Where should I click to access these locations: /etc/system/default or /etc/apps/<appname>/local/
I am using this software for the first time, so I don't have experience with it.  

Thanks, 

Tags (1)
0 Karma

Vardhan
Path Finder

Hi @guentnergroup ,

There won't be any location paths in the GUI like /etc/default. 

If you want to edit props&transforms.conf.Navigate to settings->fields. And edit the required changes there.

While editing any extractions it will ask for the location for saving those. You can select any app from the dropdown. And the extractions will save in that app.

Vardhan_0-1615986875518.png

My suggestion is without having any experience don't touch the props&transforms.conf. You can always read the docs and understand it and then edit the conf files.

 

0 Karma

soutamo
SplunkTrust
SplunkTrust

When you are using GUI for modifying those "files" you are always editing local version of those, never those which are under default.

Then next question is which app's version you are editing?

Actual place is depending which kind of roles you have? Have you role which can deploy anything to those apps or have you as normal user which haven't power to write under .../etc/apps/XXXX. If you haven't that power then all those are stored under ..../etc/users/<your id>/<App X>/...

If you have power to deploy those under real apps and change that permission to Apps or Global then those are written to .../etc/apps/<App X>/local/

You could found more from docs by looking configuration file precedences.

r. Ismo

0 Karma

guentnergroup
Explorer

Hello, 

So my problem is that I have to put different "source type" under UDP port 514. 

Because I have Fortigates, Cisco, Cisco ISE... and all of them uses different "source type". And when I ask is it possible to just add multiple "source types" the sales guy from Splunk gave me these two links: 

https://community.splunk.com/t5/Archive/Multiple-sourcetypes-and-listenners-on-the-same-udp-port/m-p...

https://community.splunk.com/t5/Getting-Data-In/How-to-configure-different-sourcetypes-for-udp-port-...


0 Karma

soutamo
SplunkTrust
SplunkTrust

You could follow those instructions to get different sourcetypes to those feeds. But much better and safe way is to use separate syslog server to terminate syslog feeds. Terminating those to splunk leads always to lose more or less events than using real syslog servers. 

guentnergroup
Explorer

Can you recommend any syslog server which I should use together with Splunk?

0 Karma

soutamo
SplunkTrust
SplunkTrust

You should chose definitely linux platform to run it. Then chose a syslog software is more what you like. I think that rsyslog or syslog-ng are both quite equal to run. Configurations are different but both works. There are also Splunk's SC4S which is "ready to run" syslog installation.