Hi, I want to preface I understand that props isn't fully processed if you install it on the universal forwarder. My question is about the difference between the install of a Splunk Universal Forwarder vs Splunk converted to a Forwarder license. My setup is a fresh install of an ancient 6.5.2 SplunkForwarder and 6.5.2 Splunk in Forwarder Mode on two machines and mapped like this. Server1: Universal Forwarder --> Indexer Server2: Splunk (updated to run as a Forwarder) --> Indexer. On the indexer I have a props change (a trivial SEDCMD-test = s/a/o/g ) If I install the same serverclass on both servers that reads a /tmp/test.log and where I write some lines with letters a in them the Server 1's messages end up changed from a to o while Server 2's do not, they staay as a. I've tested it with multiple server installs (albeit on an old version 6.5.2). It seems to me that Splunk in forwarder, unlike a dedicated Splunk Universal Forwarder, applies some kind of tag that prevents downstream props/transforms changes to occur. A raw message coming from Universal Forwarder is then processed by the indexer's props/transforms while a message coming from Splunk in Forwarder mode does not. Note: I checked for any silliness. Both Servers send to the same indexer, have identical serverclass, sourcetype, inputs and outputs. And the props on the indexer only applies to a sourcetype not any specific host (btool matches on source servers) My questions are listed below. Can you confirm that there is some kind of cooked tag on events coming from Splunk (in forwarder mode) that tells downstream systems not to apply props/transforms and just write immediately to an index? Is there anything I can do on the server with Splunk in forwarder mode to behave exactly like a UniversalForwarder? Perhaps a etc conf change, or do I need to just uninstall it and setup Splunk UniversalForwarder from scratch (confirmed this works). How can I debug props/transforms issues between two servers. Turning on DEBUG mode didn't say anything useful in splunkd.log like "applying props [foo] on event 'Hello World'" Thanks! ... View more

[ANSWERED by to4kawa] props.conf should be [yoursourcetype] DATETIME_CONFIG = CURRENT SHOULD_LINEMERGE = false LINE_BREAKER = .*($) I have a Catch 22 issue. I want three things to happen. I want to monitor a log file and to combine all lines into a single event until the file is not updated for 2 seconds or more. I want to disable all time extraction, I want all the time set to current (ie _indextime). Being able to handle arbitrary data without any separators. Imagine my file is empty and then within a microsecond these three lines are added to my file. TEST1 Fri Apr 6 20:05:59 EDT 2020 TEST2 Fri Apr 3 20:04:30 EDT 2020 TEST3 Fri Apr 1 20:05:59 EDT 2020 I would like them all to be combined into a single event. And I want the timestamp to be set to current. If I just just start monitoring the file without any props it combines the events into a single one just fine. BUT it will try to parse the timestamps and they will be all over the place. If I mod props.conf and set DATETIME_CONFIG=CURRENT it will set the time to the current one but then split the events into single lines. So I am in a catch 22, I can have one or the other. Any ideas what inputs/props/transforms combo I can have that ignores all time stamps, and combines the events into a single one no matter what. I honestly want something that checks if file has not been modified for 2 seconds and then combine everything new that was added into ONE event. Thanks! ... View more