Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Issues with props.conf and EVAL function

shayhibah
Path Finder
‎01-07-2020 12:54 AM

Hi,

I am trying to add new evaluation for a field in search-time.
For some reason, when I run query from my search head, I get the old values and it seems that the props.conf is not working.

Here is my configuration:

EVAL-action = if(isnull(action), action, if(eventtype == "Intrusion_Detection", if(action IN ("Accept", "Detect", "Allow"),"allowed", "blocked"),action))

If i copy the above line to the search bar, it works OK.

Must mention that I modified props.conf under default directory.

What am I missing here?

Update - I found out that I have 2 EVAL for the same field - does it look only for the last one or do everything in order?

Tags (2)
0 Karma
Reply

gfreitas
Builder
‎01-07-2020 03:47 AM

If one interferes with the other yes you might have problems. See this link for file precedences: https://docs.splunk.com/Documentation/Splunk/8.0.1/Admin/Wheretofindtheconfigurationfiles

You might also need to wait the knowledge bundle to be deployed to the indexers before you can see the configuration working (which might take a few minutes)

0 Karma
Reply
Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...