Getting Data In

Cleaning up props.conf, | (OR) not working for multiple sources

jeff
Contributor

I have the following in props.conf


[source::udp:32001]
TZ = UTC
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32
BREAK_ONLY_BEFORE_DATE = True
SHOULD_LINEMERGE = False

[source::udp:32002]
TZ = UTC
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32
BREAK_ONLY_BEFORE_DATE = True
SHOULD_LINEMERGE = False

[source::udp:32006]
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32
BREAK_ONLY_BEFORE_DATE = True
SHOULD_LINEMERGE = False

From what I've read, it seems this should work to "simplify" my props.conf, but when I actually implement this it doesn't work:

[source::udp:32001|udp:32002|udp:32006]
TIME_FORMAT             = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32
BREAK_ONLY_BEFORE_DATE  = True
SHOULD_LINEMERGE        = False

[source::udp:32001|udp:32002]
TZ                      = UTC

With source-specific entries, time settings are correctly interpreted. When I attempt to configure a single stanza with multiple sources using |, it fails (most notably, the log data from udp:32001/2 are shifted 5 hours in the future).

Is this not supported? Or am I just doing it wrong? 🙂

Tags (1)
0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

Also, if you want to see a complete view of your Splunk install, install the Splunk on Splunk (SoS) app with SideView Utils. You can see everything about your Splunk environment in one place.

http://splunk-base.splunk.com/apps/29008/sos-splunk-on-splunk

http://splunk-base.splunk.com/apps/22279/sideview-utils

0 Karma

_d_
Splunk Employee
Splunk Employee

Give this notation a try:

[source::(udp:32001)|(udp:32002)|(udp:32006)]

Also, to troubleshoot further and to see where and what parameters are set for each source use btool :

splunk cmd btool props list [stanza_name]

or, for even more verbosity:

splunk cmd btool --debug props list [stanza_name]

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

0 Karma

jeff
Contributor

Nope - fraid not. Simple test:

[source::(udp:32001)|(udp:32002)|(udp:32006)]
FIELDALIAS-user2 = User_Name as user2

[source::udp:32001]
FIELDALIAS-user = User_Name as user
FIELDALIAS-user3 = User_Name as user3

"user" and "user3" get picked up, "user2" does not. btool picks up the settings and reports the stanza as written in props.conf, so...

Think I'm just going to report a bug and move on.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...