Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is props.conf in splunk?

asarran
Path Finder
‎08-10-2016 12:59 PM

Hey, Fellow Splunkers

I'm fairly new to Splunk, I was wandering what exactly is the props.conf?, Where is it located?, and Why is it important? My thoughts of the props.conf is similar to a router configuration? I'm wandering are my thoughts correct in respect to the props.conf?

Thank You,

Tags (1)
Reply

ChrisG
Splunk Employee
Splunk Employee
‎08-10-2016 01:53 PM

If you are new to Splunk Enterprise and its configuration files, definitely take the time to read the topics in the Admin Manual that start with About configuration files. Understanding the configuration file directory structure, file structure, and file precedence is essential to operating Splunk Enterprise. There is also attribute precedence within a single props.conf file, and the docs have a topic about that, too.

The documentation description of what you can use props.conf for is: "Set indexing property configurations, including timezone offset, custom source type rules, and pattern collision priorities. Also, map transforms to event properties."

0 Karma
Reply

sundareshr
Legend
‎08-10-2016 01:12 PM

@asarran, props.conf is analagous (very loosely) to a .ini file or .cfg file. It has the setting splunk engine uses to determine how to process the data, either prior to forwarding, prior to indexing OR prior to searching. As such, it can be on Heavy Forwarder, Indexer, Search Head or all of the above.

There are sevaral .conf files in splunk and this link has a good explanation of what each does and when

http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Listofconfigurationfiles
https://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F
http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Propsconf

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎08-10-2016 01:03 PM

Welcome to Splunk @asarran !

The props.conf lives on the indexer,heavy forwarder, and/or search head and this applies "rules" while the data is getting parsed. You can specify how it gets timestamped, the format of the timestamp, how the events should break etc..

So basically, the props.conf will apply your configuration settings to your data while being indexed

http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Propsconf

An example of a stanza in props.conf will look like this 

[log4j]
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE = ^\$\$\s[A-Z]{5}\s\$\$
TRUNCATE = 30000
MAX_EVENTS = 100000
Reply

MuS
Legend
‎08-10-2016 01:36 PM

And to add another comment: in some cases it can be used on the universal forwarder as well 😉

See @amrit 's answer here: https://answers.splunk.com/answers/118668/filter-iis-logs-before-indexing.html

cheers, MuS

0 Karma
Reply

dshpritz
SplunkTrust
SplunkTrust
‎08-10-2016 01:16 PM

Just a note that props.conf can also contain search-time configurations, and as such, usually does not live on just the indexer. It contains index-time and search-time configurations, so it can be placed on both.

Reply

skoelpin
SplunkTrust
SplunkTrust
‎08-10-2016 01:19 PM

I've updated my answer to reflect this

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...