Splunk Search
Highlighted

Still lost - Where do props and transforms go??

Builder

We have data coming from a file on a Universal Forwarder that requires field extractions. The extractions are in a props.conf file with many EXTRACT commands.

Where does the props file go?

On the Universal Forwarder?

On the Heavy Forwarder? Our logs go from Universal Forwarder --> Heavy Forwarder ..> Indexers (clustered)

On the Search Head? We have Clustered Search Heads.

I've installed it EVERYWHERE, and I still can't get it working.

One other side note. The props.conf file I received was developed and tested in a 7.X environment. But our production is 6.X. Should that even matter?

Thanks!!

0 Karma
Highlighted

Re: Still lost - Where do props and transforms go??

Ultra Champion

EXTRACTS are search time, so that should go on the search heads.

If you have it there and it is not getting applied, are you sure the sourcetype that gets assigned to the data matches what the props.conf stanza is triggering on? Can you post relevant parts of your config to help us spot the error? Incl. some sample data to verify if your extract statements are defined correctly?

The version difference shouldn't be too much of an issue, unless you use some specific feature that is new in 7. But basic extract stuff should work.

View solution in original post

Highlighted

Re: Still lost - Where do props and transforms go??

Builder

I can confirm that the sourcetype of the data does match the props.conf stanza.

0 Karma
Highlighted

Re: Still lost - Where do props and transforms go??

Builder

I had to attach pictures as an answer below.

0 Karma
Highlighted

Re: Still lost - Where do props and transforms go??

Ultra Champion

Ok, so the sourcetype matches. Can you show the rest of the config (and some sample data) to enable us to help you troubleshoot?

0 Karma
Highlighted

Re: Still lost - Where do props and transforms go??

Builder

Thanks for the help! There was some critical info missing in the props.conf that I overlooked. This app was written by someone else, so I didn't look at it carefully enough apparently. But indeed, this config belongs on the search head.

Thanks again!

0 Karma
Highlighted

Re: Still lost - Where do props and transforms go??

Ultra Champion

You're welcome, glad to hear you were able to solve the issue. And thanks for marking the answer as accepted 🙂

0 Karma
Highlighted

Re: Still lost - Where do props and transforms go??

Builder
0 Karma
Highlighted

Re: Still lost - Where do props and transforms go??

Motivator

Ok the question where do I place my props.conf in my deployment ?

Refer to this link : wiki link

I see your case fall under the category 4 -
Universal/Light Forwarder → Heavy Forwarder → Indexer
Input → Parsing → Indexing, Search

Your props.conf files according to your parsing / indexing / searching config as per requirement - it needs to placed in Heavy forwarder & Indexer ( read the wiki link for each phases what are the config stanzas job

0 Karma
Highlighted

Re: Still lost - Where do props and transforms go??

Ultra Champion

He mentions he is troubleshooting the field extractions, which are defined as EXTRACT commands in props.conf. EXTRACT works at search time and as the wiki you refer to suggests, such config should go on the Search Heads. So suggesting him to place it on the HF and Indexer doesn't make much sense.

0 Karma