Splunk Cloud Platform

How to edit props.conf in splunk cloud

splunk2xconnect
Observer

Hi,

I need to filter data to reduce my ingestion volume and for that I need to change below two files. But I don't see these file in any option in splunk cloud platform. I am attaching the settings menu in splunk cloud. I have sc_admin privileges but still I don't see these files anywhere. Can you please let me know where to find these files and how to edit them in splunk clould ? 

Screenshot 2021-12-23 at 8.55.53 PM.png

 

File props.conf

[httpevent]
TRANSFORMS-t1=eliminate-okhttp3

 

Below need to edit in transforms.conf.

[eliminate-okhttp3]
REGEX = okhttp3
DEST_KEY = queue
FORMAT = nullQueue

Thanks,

Dee

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

One cannot edit config files in Splunk Cloud.

The workaround is to create a custom app with your .conf settings and upload it to your cloud instance.

---
If this reply helps you, Karma would be appreciated.

splunk2xconnect
Observer

Thanks for the quick response. 

Can you please elaborate on how to create custom apps ? Would we able able to move all our log sources (from which the logs are coming to Splunk) to this app ? 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Creating an app is pretty simple, at least once you have the hang of it.

Start with a Linux directory called 'myorg_httpevent_props'.  Replace "myorg" with an abbreviation of your company name.  There's nothing special about this name so you can use any name that doesn't conflict with another Splunk app (globally).

Create a subdirectory called "default" (it must be exactly that).  Within that directory, create three files: app.conf, props.conf, and transforms.conf.  The latter two will hold your configs from the OP.  The app. conf file tells Splunk about the app and will look something like this:

[install]
state = enabled

[package]
check_for_updates = false
# The value below must match the directory name
id = myorg_httpevents_props

[ui]
is_visible = false

[launcher]
version = 1.0.0
author = <your name>
description = <some helpful text>

chmod the flles with 644 and then put them into a compressed tarball.  Upload the tarball to your Splunk Cloud search head and wait for it to be vetted.  If vetting fails, read the report, make the necessary changes, and upload again.  (Delete the old upload before re-uploading.)  Once the app passes vetting you can install it.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...