cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
jlamirande_splu
Splunk Employee
Member since: ‎10-07-2015
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎10-07-2015
Activity Feed
View All

Why are my props.conf and transforms.conf configur...

by Splunk Employee in Getting Data In
‎10-07-2015 07:50 AM
1 Karma
‎10-07-2015 07:50 AM
1 Karma
In the Getting Data In documentation, it says I should be able to set host based on event data using props.conf and transforms.conf: http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/overridedefaulthostassignments For the following same data: Sep 24 13:34:18 ca693292l2/10.0.1.140 ironkey: 02280706,2015-09-24T13:34:14Z,"E:/august.txt",5,2015-08-19T11:44:11,2015-08-19T11:44:20,2015-09-24T00:00:00,5D41402ABC4B2A76B9719D911017C592 My props.conf contains: [test_ironkey] NO_BINARY_CHECK = true category = Custom disabled = false pulldown_type = true [source::.../direct-to-syslog-ng-ik_syslog-ng.txt] TRANSFORMS-extract = ironkey1 SHOULD_LINEMERGE = false and my transforms.conf: [ironkey1] DEST_KEY = MetaData:Host REGEX = ^\w+\s\d+\s\d\d:\d\d:\d\d\s(\w+) FORMAT = host::$1 but when I Add Data, it seems to ignore the props.conf and transforms.conf and use the localhost? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All