Getting Data In

How to configure props.conf for two different log types: bluecoat and bluecoat_sg?

iherre312
Explorer

I have a two different props.conf stanzas for two different log types (i.e., bluecoat and bluecoat_proxysg). What is the best way to handle props.conf? Should I just create a separate sourcetype for each? The timestamps are in different formats and locations in the events.

0 Karma

rphillips_splk
Splunk Employee
Splunk Employee

If your timestamps for the two different types of log types are different then it makes sense to put them into different sourcetypes. The rules you apply to those sourcetypes can be applied based on the sourcetype in props.conf. If you're defining search-time extractions those would be applied to the sourcetype in props.conf on the search head. If you are defining index-time extractions, defining line-breaking , timestamp format, or using transforms etc those would be applied to the sourcetype in props.conf on the indexers. If you are using structured data header extractions such as INDEXED_EXTRACTIONS those would go into props.conf on the forwarder. Depending on your data and needs you could end up with props.conf configurations on all 3 instances for a given sourcetype or a combination of such.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...