Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to load an edited props.conf?

peterweinstein
Explorer
‎04-02-2012 02:01 PM

Hi,

I'm just starting to work with Splunk. I am trying to change the definition of events in an input file by editing the props.conf file in the etc/local directory. Unfortunately my edits are having no effect. I have tried:

-- Adding "| extract reload=true" to the end of the active search operating on the input file

-- Restarting Splunk with Manager/Restart from the web interface.

One odd thing worth mentioning: when I first tried to save a modified props.conf file, I had to manually alter the Windows permissions to let myself write the file.

So my question is, what is the normal development procedure for testing and updating changes to event definitions? Is there a setting somewhere else that I need to modify so manually edited changes take effect?

To learn Splunk I installed it on my Windows laptop. I'm running the free version almost fresh out of the box at this point.

Thanks for your help,
Peter

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎04-02-2012 02:33 PM

It depends on what you are editing in props.conf. If there is anything that has to do with linebreaking, timestamping etc that happen at index time, you need to restart the splunkd service.

If it is settings regarding search time eventtype definitions or field extractions a | extract reload=t should work fine.

However, it must be the first and only thing entered in the search box. So the search starts with a pipe.

As for the permissions, it will depend on how you installed it. Unfortunately it is not as easily understood as in *nix

Hope this helps,

Kristian

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎04-02-2012 02:33 PM

It depends on what you are editing in props.conf. If there is anything that has to do with linebreaking, timestamping etc that happen at index time, you need to restart the splunkd service.

If it is settings regarding search time eventtype definitions or field extractions a | extract reload=t should work fine.

However, it must be the first and only thing entered in the search box. So the search starts with a pipe.

As for the permissions, it will depend on how you installed it. Unfortunately it is not as easily understood as in *nix

Hope this helps,

Kristian

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...