Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Issues with props.conf and EVAL function

shayhibah
Path Finder
‎01-07-2020 12:54 AM

Hi,

I am trying to add new evaluation for a field in search-time.
For some reason, when I run query from my search head, I get the old values and it seems that the props.conf is not working.

Here is my configuration:

EVAL-action = if(isnull(action), action, if(eventtype == "Intrusion_Detection", if(action IN ("Accept", "Detect", "Allow"),"allowed", "blocked"),action))

If i copy the above line to the search bar, it works OK.

Must mention that I modified props.conf under default directory.

What am I missing here?

Update - I found out that I have 2 EVAL for the same field - does it look only for the last one or do everything in order?

Tags (2)
0 Karma
Reply

gfreitas
Builder
‎01-07-2020 03:47 AM

If one interferes with the other yes you might have problems. See this link for file precedences: https://docs.splunk.com/Documentation/Splunk/8.0.1/Admin/Wheretofindtheconfigurationfiles

You might also need to wait the knowledge bundle to be deployed to the indexers before you can see the configuration working (which might take a few minutes)

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...