Solved: Host in Props.conf Not Working

skoelpin · ‎05-12-2015

I need to lengthen the lines in my events so I went into Splunk\etc\system\local\props.conf and added

[SRV-DCP01UVWS01]
TRUNCATE = 20000 
MAX_EVENTS = 20000

It is not seeing the host, but if I change it from the host to the source [ATG_Message_Log]then it will work correctly. I DO NOT want to use the source as it will affect other logging. I want to use the host

This is a new host, do I have to define the host somewhere in Splunk so it can recognize it?

woodcock · ‎05-12-2015

You have almost certainly done a host-override so you need to use the original host value, not your modified/overridden host value. You could also use sourcetype in props.conf.

View solution in original post

somesoni2 · ‎05-12-2015

Not sure if this is relevant, you're setting properties for the data coming from a host, so shouldn't you be using syntax as [host:SRV-DCP01UVWS01]. Also, the hyphen in the host name could also cause it to not work.

carlosumbc · ‎05-09-2018

@somesoni2: you mention that the hyphen in the host name could also cause it not to work. What do you mean? We are having an issue where hyphenated hostnames aren't working.

skoelpin · ‎05-12-2015

Thanks for your suggestion. In my original post I said it was only working on the source, but meant to say sourcetype. I was finally able to get it to work by changing the sourcetype in my Splunk forwarder.

woodcock · ‎05-12-2015

You have almost certainly done a host-override so you need to use the original host value, not your modified/overridden host value. You could also use sourcetype in props.conf.

skoelpin · ‎05-12-2015

Yeah I would agree, it seems to be the only logical answer. I also tried using the sourcetype and still had no luck, it seems like only the Source is working. I'll report back if I misnamed the host

skoelpin · ‎05-12-2015

I finally got it working by changing my sourcetype in the Splunk forwarder on the server I was trying to hit. Thanks for your help

woodcock · ‎05-12-2015

Be aware that you can rename your sourcetype back to match all of the others so that your searches will work the way they always have like this in props.conf:

[SRV-DCP01UVWS01-unique]
rename SRV-DCP01UVWS01
TRUNCATE = 20000 
MAX_EVENTS = 20000

The benefit of this is that you get your unique changes but you also continue to share a common sourcetype. Futhermore, you can discriminate back out the unique events if you need to by using _sourcetype="SRV-DCP01UVWS01-unique" because _sourcetype is created to contain the original value when you rename sourcetype!

jtrucks · ‎05-12-2015

Check if the host uses FQDN or is coming from that source as an IP not a hostname. Your host stanza has to match how it looks in the data source. Consider wildcards if you have FQDN and non-FQDN, too.

--
Jesse Trucks
Minister of Magic

skoelpin · ‎05-12-2015

Thanks for the response. I'm going to do an nslookup on the box to see if I got the host name correct. I will post back if it works

skoelpin · ‎05-12-2015

I just did an nslookup on that domain and got what matched the data source and it still did not work. I then tried using the IP of the host and still couldn't get that working. The sourcetype also does not work. The only thing which works is the source. Any other ideas? Do I need to define the host somewhere in the inputs.conf?

Host in Props.conf Not Working

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life