×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
afmohamm
Engager
Member since: ‎02-03-2014
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎02-03-2014
Activity Feed
View All

Why is a props.conf change on a universal forwarde...

by in Getting Data In
‎06-09-2015 07:47 AM
‎06-09-2015 07:47 AM
I have a Splunk 6.2.0 multisite cluster setup. Per site, there is one indexer, one search head and a master. I am pulling logs from a client on Windows using splunk universal forwarder, but I need to change the Line Break. I have defined a new sourcetype in props.conf and placed it on the client and restarted the splunkd on the client. I still don't see the changes when I search the data on the search head. Do I have to define the sourcetype on the indexer as well? or just the indexer and not in the client? Thanks ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma given to
View All