Splunk Search

Still lost - Where do props and transforms go??

aferone
Builder

We have data coming from a file on a Universal Forwarder that requires field extractions. The extractions are in a props.conf file with many EXTRACT commands.

Where does the props file go?

On the Universal Forwarder?

On the Heavy Forwarder? Our logs go from Universal Forwarder --> Heavy Forwarder ..> Indexers (clustered)

On the Search Head? We have Clustered Search Heads.

I've installed it EVERYWHERE, and I still can't get it working.

One other side note. The props.conf file I received was developed and tested in a 7.X environment. But our production is 6.X. Should that even matter?

Thanks!!

0 Karma
1 Solution

FrankVl
Ultra Champion

EXTRACTS are search time, so that should go on the search heads.

If you have it there and it is not getting applied, are you sure the sourcetype that gets assigned to the data matches what the props.conf stanza is triggering on? Can you post relevant parts of your config to help us spot the error? Incl. some sample data to verify if your extract statements are defined correctly?

The version difference shouldn't be too much of an issue, unless you use some specific feature that is new in 7. But basic extract stuff should work.

View solution in original post

jaracan
Communicator

Put the props.conf in Search Head since you are using the EXTRACT parameter.

EXTRACT- = [| in ]
* Used to create extracted fields (search-time field extractions) that do
not reference transforms.conf stanzas.

Reference:
https://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf

0 Karma

splunker12er
Motivator

Ok the question where do I place my props.conf in my deployment ?

Refer to this link : wiki link

I see your case fall under the category 4 -
Universal/Light Forwarder → Heavy Forwarder → Indexer
Input → Parsing → Indexing, Search

Your props.conf files according to your parsing / indexing / searching config as per requirement - it needs to placed in Heavy forwarder & Indexer ( read the wiki link for each phases what are the config stanzas job

0 Karma

FrankVl
Ultra Champion

He mentions he is troubleshooting the field extractions, which are defined as EXTRACT commands in props.conf. EXTRACT works at search time and as the wiki you refer to suggests, such config should go on the Search Heads. So suggesting him to place it on the HF and Indexer doesn't make much sense.

0 Karma

aferone
Builder

alt text

alt text

0 Karma

FrankVl
Ultra Champion

EXTRACTS are search time, so that should go on the search heads.

If you have it there and it is not getting applied, are you sure the sourcetype that gets assigned to the data matches what the props.conf stanza is triggering on? Can you post relevant parts of your config to help us spot the error? Incl. some sample data to verify if your extract statements are defined correctly?

The version difference shouldn't be too much of an issue, unless you use some specific feature that is new in 7. But basic extract stuff should work.

aferone
Builder

I can confirm that the sourcetype of the data does match the props.conf stanza.

0 Karma

aferone
Builder

I had to attach pictures as an answer below.

0 Karma

FrankVl
Ultra Champion

Ok, so the sourcetype matches. Can you show the rest of the config (and some sample data) to enable us to help you troubleshoot?

0 Karma

aferone
Builder

Thanks for the help! There was some critical info missing in the props.conf that I overlooked. This app was written by someone else, so I didn't look at it carefully enough apparently. But indeed, this config belongs on the search head.

Thanks again!

0 Karma

FrankVl
Ultra Champion

You're welcome, glad to hear you were able to solve the issue. And thanks for marking the answer as accepted 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...