- Splunk Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- How to configure universal forwarder props.conf fo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to configure universal forwarder props.conf for truncate?
Hi,
I'm using Splunk universal Forwarder for sending UiPath Robot logs to Splunk Server. I noticed that some of our logs are being truncate at the end. I searched it on the internet and my understanding is that I have to change Truncate value in props.conf for Universal Forwarder. I could not figure out where should be the props.conf file changed
In the beginning I changed
C:\ProgramFiles\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\props.conf but then I got to know that you're not supposed to make changings in default configs, So I removed the line from there.
Then I added a props.config file by myself at the location C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\props.conf because there wasn't any, So I thought maybe we have to add it on our own. I used the following lines in props.conf
[default]
Truncate = 50000
Still I could not see any changings in Splunk logs. Then I read somewhere that you need to restart your forwarder for changes to take place. I used the following command
C:\Program Files\SplunkUniversalForwarder\bin>splunk.exe restart
and got the following error
Invalid key in stanza [default] in C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\props.conf, line 2: Truncate (value: 50).
Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
Done
Checking default conf files for edits...
Validating installed files against hashes from'C:\Program Files\SplunkUniversalForwarder\splunkforwarder-8.0.5-a1a6394cc5ae-windows-64-manifest'
File 'C:\Program Files\SplunkUniversalForwarder\etc/apps/SplunkUniversalForwarder/default/props.conf' changed.
Problems were found, please review your files and move customizations to local
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
SplunkForwarder: Unable to start the service: Access is denied.
I am very new to splunk so I don't have any idea of these things. I assume that may be I'm doing it wrong. Can someone please answer my following questions
- Where do I need to add props.conf?
- What should I add in props.conf and what should be the syntax?
- After doing the above how to restart splunk?
Any help will be much appreciated. Thanks 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can make changes to the UF yourself, but any changes to the indexers requires access to Splunk Enterprise.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are correct about changing the TRUNCATE setting in props.conf, but the change must be in the indexer(s) or heavy forwarder, not on the Universal Forwarder.
Choose the props.conf file that defines the sourcetype being truncated.
The syntax is
TRUNCATE = <some number larger than 10k>You have the correct command for restarting Splunk. Restore the original C:\Program Files\SplunkUniversalForwarder\etc/apps/SplunkUniversalForwarder/default/props.conf file and the UF should start.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm surprised that no one also noted that local/site changes should not be made to default files. One should make changes to the appropriate .../local/<conffile> so they are not overwritten if and when Splunk is upgraded.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the reply @richgalloway where can I find indexer or heavyforwarder? I have no idea about this. Can you please guide me a little more. ☺
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should know the components of your Splunk installation before attempting to make any changes to them. See https://docs.splunk.com/Documentation/Splunk/8.0.6/InheritedDeployment/Introduction for a good description of how to learn what you have.
You often can find your indexers by examining the outputs.conf file on a forwarder.
Don't make any changes to your indexer(s) until you understand your architecture. Modifying individual members of a cluster, for example, can lead to unexpected problems later.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much 🙂
And just a thought, Do I need access to Splunk enterprise to make any changes? Asking this because splunk is on client's server and UF is on our local systems.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
