Where do I go & how should I do it?
I know what to change,
[$sourcetype]
MAX_EVENT = 100000
I would appreciate your help,
A newcomer
The file to edit is SPLUNK_HOME/etc/system/local/props.conf. If it doesn't exist, create one. DO NOT edit default/props.conf! Use the text editor of your choice to do the editing.
The file to edit is SPLUNK_HOME/etc/system/local/props.conf. If it doesn't exist, create one. DO NOT edit default/props.conf! Use the text editor of your choice to do the editing.
Do I put the line in a search head?
Put it on the indexer(s). Remember to restart Splunk after making the change.
Sorry, but do you mean at time of "Adding Data?"
Whenever you modify a .conf file outside the Splunk GUI, Splunk must be restarted to incorporate the change.
like, index setting section?
props.conf can be found in a few places:
$SPLUNK_HOME/etc/system/default - Default props (do not modify)
$SPLUNK_HOME/etc/system/local - Should be used for adjustments that are only needed on THIS system
$SPLUNK_HOME/etc/apps/{APPNAME}/default - An apps default props.conf (do not modify)
$SPLUNK_HOME/etc/apps/{APPNAME}/local - Customization of an apps props.conf.
If there isn't a props.conf under the local directory, a new file should be created.
We use the following guidelines:
If you are looking for where the props.conf for a specific sourcetype are defined you can use the btool command:
For all props:
$SPLUNK_HOME/bin/splunk cmd btool --debug props list
For the props to a specific sourcetype:
$SPLUNK_HOME/bin/splunk cmd btool --debug props list $sourcetype