I'm just starting to work with Splunk. I am trying to change the definition of events in an input file by editing the props.conf file in the etc/local directory. Unfortunately my edits are having no effect. I have tried:
-- Adding "| extract reload=true" to the end of the active search operating on the input file
-- Restarting Splunk with Manager/Restart from the web interface.
One odd thing worth mentioning: when I first tried to save a modified props.conf file, I had to manually alter the Windows permissions to let myself write the file.
So my question is, what is the normal development procedure for testing and updating changes to event definitions? Is there a setting somewhere else that I need to modify so manually edited changes take effect?
To learn Splunk I installed it on my Windows laptop. I'm running the free version almost fresh out of the box at this point.