Getting Data In

How to troubleshoot why props.conf settings did not take effect and an index was not automatically created?

imanpoeiri
Communicator

Hi Experts,

I dont want to wake up any zombies, hence I create new thread here.

I have props.conf file works on my local as follow, however it didnt works on other environment (i.e. SIT).

Additional info:
1. Single server machine
2. OS: UNIX
3. Index was not created automatically too

Sample props.conf:

[my_sourcetype_sample]
INDEXED_EXTRACTIONS=csv
TRUNCATE = 20000
TIMESTAMP_FIELDS = "Time"
CHARSET = latin1
FIELDALIAS-alias_order_sample =  "Product" As product "Time" As time_submitted "Error State" As error_state "Order ID" As order_id "Order state" As order_state "Processed Systems" as processed_systems

Sample inputs.conf:

monitor://$SPLUNK_HOME/etc/apps/my-sample-app/samples/sample-order-data.csv]
index = my_index_sample
sourcetype = my_sourcetype_sample
disabled = 0
initCrcLength=1024

Sample of indexes.conf

[my_index_sample]
coldPath = $SPLUNK_DB/my_index_sample/colddb
homePath = $SPLUNK_DB/my_index_sample/db
thawedPath = $SPLUNK_DB/my_index_sample/thaweddb

Sample of data:

Time,Product,Error State,Order ID,Order state,Processed Systems
6/24/2015 8:29,Mobile,No Error,893501,Succeeded,CRM
6/24/2015 8:29,Mobile,No Error,893502,Succeeded,CRM
6/24/2015 8:29,Mobile,No Error,893503,Succeeded,CRM

Any advice where I missed out?

0 Karma
1 Solution

jplumsdaine22
Influencer

Try adding your indexes, props and inputs .confs to /opt/splunk/etc/system/local and then restart splunk. Run btool again to check that they're being picked up. Not sure where you have them at the moment.

If you have conflicting stanza names in other config files, they are processed in the following order - that could be your issue

  1. System local directory -- highest priority
  2. App local directories
  3. App default directories
  4. System default directory -- lowest priority

See http://docs.splunk.com/Documentation/Splunk/6.3.1/Admin/Wheretofindtheconfigurationfiles

View solution in original post

jplumsdaine22
Influencer

Try adding your indexes, props and inputs .confs to /opt/splunk/etc/system/local and then restart splunk. Run btool again to check that they're being picked up. Not sure where you have them at the moment.

If you have conflicting stanza names in other config files, they are processed in the following order - that could be your issue

  1. System local directory -- highest priority
  2. App local directories
  3. App default directories
  4. System default directory -- lowest priority

See http://docs.splunk.com/Documentation/Splunk/6.3.1/Admin/Wheretofindtheconfigurationfiles

imanpoeiri
Communicator

Hey @jplumsdaine22,

Copy all from folder called default and paste it into folder called local and works like magic!

Thanks & appreciate that!

0 Karma

jplumsdaine22
Influencer

Hi,

When you say the props.conf didn't load, what problem are you seeing? EG
No data at all?
Incorrect timestamps?
Incorrect field extractions?
Splunk won't start due to syntax errors?
Missing index?

0 Karma

imanpoeiri
Communicator

Hi @jplumsdaine22,

Thanks to point that out, here you go what I have done:

  1. Index was not created automatically after first bounce - indicates that indexes.conf not working
  2. I create index manually via splunk web to check whether data problem or not
  3. Index was created and I can see data from csv file indexed properly
  4. I notice that field-alias not working - indicates that props.conf not working too
  5. Checked here and there but still not working
  6. Those file config working fine on my local
0 Karma

jplumsdaine22
Influencer

Definately run

$SPLUNK_HOME/bin/splunk cmd btool props list --debug

This will show you what settings are being applied from which file. You can run the command with indexes as well to see what applies for indexes.conf.

What is the path of the props.conf and indexes.conf that you think are correct?

0 Karma

imanpoeiri
Communicator

Hi @jplumsdaine22,

You are right, I run it on my local and I managed to find my application configuration in there. But it is not happen on SIT environment where the config files that was read is few only:

/opt/splunk/etc/system/default/props.conf
/opt/splunk/etc/apps/splunk_management_console/default
/opt/splunk/etc/apps/learned/local/props.conf
/opt/splunk/etc/apps/mobile_access/default/props.conf
/opt/splunk/etc/apps/search/default/props.conf
0 Karma

DMohn
Motivator

Can you please give some more details regarding your Splunk Environment? Are you using a single machine or a distributed environment? Where did you do the changes?

The index will only be created, if you modify the indexes.conf on the indexer servers (or the master in a distributed env, and push the packages). Where have you defined inputs and props?

With some more details we will sure be able to help!

0 Karma

imanpoeiri
Communicator

Hi DMohn,

Sorry for the incomplete of details. Thanks for the input, here you go:

Additional info:
1. Single server machine
2. OS: UNIX
3. Index was not created automatically too

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...