Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Issues with props.conf and EVAL function

shayhibah
Path Finder
‎01-07-2020 12:54 AM

Hi,

I am trying to add new evaluation for a field in search-time.
For some reason, when I run query from my search head, I get the old values and it seems that the props.conf is not working.

Here is my configuration:

EVAL-action = if(isnull(action), action, if(eventtype == "Intrusion_Detection", if(action IN ("Accept", "Detect", "Allow"),"allowed", "blocked"),action))

If i copy the above line to the search bar, it works OK.

Must mention that I modified props.conf under default directory.

What am I missing here?

Update - I found out that I have 2 EVAL for the same field - does it look only for the last one or do everything in order?

Tags (2)
0 Karma
Reply

gfreitas
Builder
‎01-07-2020 03:47 AM

If one interferes with the other yes you might have problems. See this link for file precedences: https://docs.splunk.com/Documentation/Splunk/8.0.1/Admin/Wheretofindtheconfigurationfiles

You might also need to wait the knowledge bundle to be deployed to the indexers before you can see the configuration working (which might take a few minutes)

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...