Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is props.conf in splunk?

asarran
Path Finder
‎08-10-2016 12:59 PM

Hey, Fellow Splunkers

I'm fairly new to Splunk, I was wandering what exactly is the props.conf?, Where is it located?, and Why is it important? My thoughts of the props.conf is similar to a router configuration? I'm wandering are my thoughts correct in respect to the props.conf?

Thank You,

Tags (1)
Reply

ChrisG
Splunk Employee
Splunk Employee
‎08-10-2016 01:53 PM

If you are new to Splunk Enterprise and its configuration files, definitely take the time to read the topics in the Admin Manual that start with About configuration files. Understanding the configuration file directory structure, file structure, and file precedence is essential to operating Splunk Enterprise. There is also attribute precedence within a single props.conf file, and the docs have a topic about that, too.

The documentation description of what you can use props.conf for is: "Set indexing property configurations, including timezone offset, custom source type rules, and pattern collision priorities. Also, map transforms to event properties."

0 Karma
Reply

sundareshr
Legend
‎08-10-2016 01:12 PM

@asarran, props.conf is analagous (very loosely) to a .ini file or .cfg file. It has the setting splunk engine uses to determine how to process the data, either prior to forwarding, prior to indexing OR prior to searching. As such, it can be on Heavy Forwarder, Indexer, Search Head or all of the above.

There are sevaral .conf files in splunk and this link has a good explanation of what each does and when

http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Listofconfigurationfiles
https://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F
http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Propsconf

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎08-10-2016 01:03 PM

Welcome to Splunk @asarran !

The props.conf lives on the indexer,heavy forwarder, and/or search head and this applies "rules" while the data is getting parsed. You can specify how it gets timestamped, the format of the timestamp, how the events should break etc..

So basically, the props.conf will apply your configuration settings to your data while being indexed

http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Propsconf

An example of a stanza in props.conf will look like this 

[log4j]
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE = ^\$\$\s[A-Z]{5}\s\$\$
TRUNCATE = 30000
MAX_EVENTS = 100000
Reply

MuS
Legend
‎08-10-2016 01:36 PM

And to add another comment: in some cases it can be used on the universal forwarder as well 😉

See @amrit 's answer here: https://answers.splunk.com/answers/118668/filter-iis-logs-before-indexing.html

cheers, MuS

0 Karma
Reply

dshpritz
SplunkTrust
SplunkTrust
‎08-10-2016 01:16 PM

Just a note that props.conf can also contain search-time configurations, and as such, usually does not live on just the indexer. It contains index-time and search-time configurations, so it can be placed on both.

Reply

skoelpin
SplunkTrust
SplunkTrust
‎08-10-2016 01:19 PM

I've updated my answer to reflect this

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...