We have data coming from a file on a Universal Forwarder that requires field extractions. The extractions are in a props.conf file with many EXTRACT commands.
Where does the props file go?
On the Universal Forwarder?
On the Heavy Forwarder? Our logs go from Universal Forwarder --> Heavy Forwarder ..> Indexers (clustered)
On the Search Head? We have Clustered Search Heads.
I've installed it EVERYWHERE, and I still can't get it working.
One other side note. The props.conf file I received was developed and tested in a 7.X environment. But our production is 6.X. Should that even matter?
EXTRACTS are search time, so that should go on the search heads.
If you have it there and it is not getting applied, are you sure the sourcetype that gets assigned to the data matches what the props.conf stanza is triggering on? Can you post relevant parts of your config to help us spot the error? Incl. some sample data to verify if your extract statements are defined correctly?
The version difference shouldn't be too much of an issue, unless you use some specific feature that is new in 7. But basic extract stuff should work.
Ok, so the sourcetype matches. Can you show the rest of the config (and some sample data) to enable us to help you troubleshoot?
Thanks for the help! There was some critical info missing in the props.conf that I overlooked. This app was written by someone else, so I didn't look at it carefully enough apparently. But indeed, this config belongs on the search head.
You're welcome, glad to hear you were able to solve the issue. And thanks for marking the answer as accepted 🙂
Ok the question where do I place my
props.conf in my deployment ?
Refer to this link : wiki link
I see your case fall under the category 4 -
Universal/Light Forwarder → Heavy Forwarder → Indexer
Input → Parsing → Indexing, Search
props.conf files according to your parsing / indexing / searching config as per requirement - it needs to placed in Heavy forwarder & Indexer ( read the wiki link for each phases what are the config stanzas job
He mentions he is troubleshooting the field extractions, which are defined as EXTRACT commands in props.conf. EXTRACT works at search time and as the wiki you refer to suggests, such config should go on the Search Heads. So suggesting him to place it on the HF and Indexer doesn't make much sense.