Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Where is Indexer specific props.Conf files saved?

ethanthomas
Path Finder
‎03-19-2021 09:14 PM

Is there individual indexer specific conf files present specially for Props.conf file ?  In Linux , how can we identify the indexer specific conf files for a particular index ?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎03-20-2021 07:47 AM

Hi @ethanthomas,

I think you want which props setting has an effect on the indexer.  You can check the below wiki page, on this page parsing phase happens on indexers (or heavy forwarders). And as @richgalloway said, these settings are works by sourcetype not index.

https://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F

TRUNCATE, LINE_BREAKER, SHOULD_LINEMERGE, BREAK_ONLY_BEFORE_DATE, and all other line merging settings
TZ, DATETIME_CONFIG, TIME_FORMAT, TIME_PREFIX, and all other time extraction settings and rules
TRANSFORMS* which includes per-event queue filtering, per-event index assignment, per-event routing. Applied in the order defined
SEDCMD*
MORE_THAN*, LESS_THAN*
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-20-2021 05:17 AM

Typically, config files are neither index nor indexer specific.  Conf files belong to the system, an app, or a user rather than indexes or indexers.  To create an indexer-specific props.conf file, one would edit $SPLUNK_HOME/etc/system/local/props.conf on each indexer - something not advised in an indexer cluster.  To do the same for indexes, create a separate app for each index and have it contain a different props.conf file.

To find a props.conf file, use btool. This command will list all of the attributes from every props.conf file along with the name of the file from which it came.  Use grep to filter the output and you'll have the file path.

splunk btool --debug props list

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...