Splunk Cloud Platform
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to edit props.conf in splunk cloud

splunk2xconnect
Observer
‎12-23-2021 07:28 AM

Hi,

I need to filter data to reduce my ingestion volume and for that I need to change below two files. But I don't see these file in any option in splunk cloud platform. I am attaching the settings menu in splunk cloud. I have sc_admin privileges but still I don't see these files anywhere. Can you please let me know where to find these files and how to edit them in splunk clould ? 

Screenshot 2021-12-23 at 8.55.53 PM.png

 

File props.conf

[httpevent]
TRANSFORMS-t1=eliminate-okhttp3

 

Below need to edit in transforms.conf.

[eliminate-okhttp3]
REGEX = okhttp3
DEST_KEY = queue
FORMAT = nullQueue

Thanks,

Dee

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-23-2021 08:18 AM

One cannot edit config files in Splunk Cloud.

The workaround is to create a custom app with your .conf settings and upload it to your cloud instance.

---
If this reply helps you, Karma would be appreciated.
Reply

splunk2xconnect
Observer
‎12-23-2021 09:04 AM

Thanks for the quick response. 

Can you please elaborate on how to create custom apps ? Would we able able to move all our log sources (from which the logs are coming to Splunk) to this app ? 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-23-2021 09:49 AM

Creating an app is pretty simple, at least once you have the hang of it.

Start with a Linux directory called 'myorg_httpevent_props'.  Replace "myorg" with an abbreviation of your company name.  There's nothing special about this name so you can use any name that doesn't conflict with another Splunk app (globally).

Create a subdirectory called "default" (it must be exactly that).  Within that directory, create three files: app.conf, props.conf, and transforms.conf.  The latter two will hold your configs from the OP.  The app. conf file tells Splunk about the app and will look something like this:

[install]
state = enabled

[package]
check_for_updates = false
# The value below must match the directory name
id = myorg_httpevents_props

[ui]
is_visible = false

[launcher]
version = 1.0.0
author = <your name>
description = <some helpful text>

chmod the flles with 644 and then put them into a compressed tarball.  Upload the tarball to your Splunk Cloud search head and wait for it to be vetted.  If vetting fails, read the report, make the necessary changes, and upload again.  (Delete the old upload before re-uploading.)  Once the app passes vetting you can install it.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

  March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...
Top