Knowledge Management

What is props.conf in splunk?

asarran
Path Finder

Hey, Fellow Splunkers

I'm fairly new to Splunk, I was wandering what exactly is the props.conf?, Where is it located?, and Why is it important? My thoughts of the props.conf is similar to a router configuration? I'm wandering are my thoughts correct in respect to the props.conf?

Thank You,

Tags (1)

ChrisG
Splunk Employee
Splunk Employee

If you are new to Splunk Enterprise and its configuration files, definitely take the time to read the topics in the Admin Manual that start with About configuration files. Understanding the configuration file directory structure, file structure, and file precedence is essential to operating Splunk Enterprise. There is also attribute precedence within a single props.conf file, and the docs have a topic about that, too.

The documentation description of what you can use props.conf for is: "Set indexing property configurations, including timezone offset, custom source type rules, and pattern collision priorities. Also, map transforms to event properties."

0 Karma

sundareshr
Legend

@asarran, props.conf is analagous (very loosely) to a .ini file or .cfg file. It has the setting splunk engine uses to determine how to process the data, either prior to forwarding, prior to indexing OR prior to searching. As such, it can be on Heavy Forwarder, Indexer, Search Head or all of the above.

There are sevaral .conf files in splunk and this link has a good explanation of what each does and when

http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Listofconfigurationfiles
https://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F
http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Propsconf

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Welcome to Splunk @asarran !

The props.conf lives on the indexer,heavy forwarder, and/or search head and this applies "rules" while the data is getting parsed. You can specify how it gets timestamped, the format of the timestamp, how the events should break etc..

So basically, the props.conf will apply your configuration settings to your data while being indexed

http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Propsconf

An example of a stanza in props.conf will look like this

[log4j]
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE = ^\$\$\s[A-Z]{5}\s\$\$
TRUNCATE = 30000
MAX_EVENTS = 100000

MuS
SplunkTrust
SplunkTrust

And to add another comment: in some cases it can be used on the universal forwarder as well 😉

See @amrit 's answer here: https://answers.splunk.com/answers/118668/filter-iis-logs-before-indexing.html

cheers, MuS

0 Karma

dshpritz
SplunkTrust
SplunkTrust

Just a note that props.conf can also contain search-time configurations, and as such, usually does not live on just the indexer. It contains index-time and search-time configurations, so it can be placed on both.

skoelpin
SplunkTrust
SplunkTrust

I've updated my answer to reflect this

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...