Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Where is Indexer specific props.Conf files saved?

ethanthomas
Path Finder
‎03-19-2021 09:14 PM

Is there individual indexer specific conf files present specially for Props.conf file ?  In Linux , how can we identify the indexer specific conf files for a particular index ?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎03-20-2021 07:47 AM

Hi @ethanthomas,

I think you want which props setting has an effect on the indexer.  You can check the below wiki page, on this page parsing phase happens on indexers (or heavy forwarders). And as @richgalloway said, these settings are works by sourcetype not index.

https://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F

TRUNCATE, LINE_BREAKER, SHOULD_LINEMERGE, BREAK_ONLY_BEFORE_DATE, and all other line merging settings
TZ, DATETIME_CONFIG, TIME_FORMAT, TIME_PREFIX, and all other time extraction settings and rules
TRANSFORMS* which includes per-event queue filtering, per-event index assignment, per-event routing. Applied in the order defined
SEDCMD*
MORE_THAN*, LESS_THAN*
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-20-2021 05:17 AM

Typically, config files are neither index nor indexer specific.  Conf files belong to the system, an app, or a user rather than indexes or indexers.  To create an indexer-specific props.conf file, one would edit $SPLUNK_HOME/etc/system/local/props.conf on each indexer - something not advised in an indexer cluster.  To do the same for indexes, create a separate app for each index and have it contain a different props.conf file.

To find a props.conf file, use btool. This command will list all of the attributes from every props.conf file along with the name of the file from which it came.  Use grep to filter the output and you'll have the file path.

splunk btool --debug props list

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...