Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Cleaning up props.conf, | (OR) not working for multiple sources

jeff
Contributor
‎11-29-2011 07:47 AM

I have the following in props.conf



[source::udp:32001]

TZ                      = UTC

TIME_FORMAT             = %b %d %H:%M:%S

MAX_TIMESTAMP_LOOKAHEAD = 32

BREAK_ONLY_BEFORE_DATE  = True

SHOULD_LINEMERGE        = False

[source::udp:32002]
TZ = UTC
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32
BREAK_ONLY_BEFORE_DATE = True
SHOULD_LINEMERGE = False

[source::udp:32006]
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32
BREAK_ONLY_BEFORE_DATE = True
SHOULD_LINEMERGE = False

From what I've read, it seems this should work to "simplify" my props.conf, but when I actually implement this it doesn't work:

[source::udp:32001|udp:32002|udp:32006]
TIME_FORMAT             = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32
BREAK_ONLY_BEFORE_DATE  = True
SHOULD_LINEMERGE        = False

[source::udp:32001|udp:32002]
TZ                      = UTC

With source-specific entries, time settings are correctly interpreted. When I attempt to configure a single stanza with multiple sources using |, it fails (most notably, the log data from udp:32001/2 are shifted 5 hours in the future).

Is this not supported? Or am I just doing it wrong? 🙂

Tags (1)
0 Karma
Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎12-08-2011 07:46 AM

Also, if you want to see a complete view of your Splunk install, install the Splunk on Splunk (SoS) app with SideView Utils. You can see everything about your Splunk environment in one place.

http://splunk-base.splunk.com/apps/29008/sos-splunk-on-splunk

http://splunk-base.splunk.com/apps/22279/sideview-utils

0 Karma
Reply

_d_
Splunk Employee
Splunk Employee
‎11-29-2011 01:31 PM

Give this notation a try:

[source::(udp:32001)|(udp:32002)|(udp:32006)]

Also, to troubleshoot further and to see where and what parameters are set for each source use btool :

splunk cmd btool props list [stanza_name]

or, for even more verbosity:

splunk cmd btool --debug props list [stanza_name]

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

0 Karma
Reply

jeff
Contributor
‎12-08-2011 07:41 AM

Nope - fraid not. Simple test:

[source::(udp:32001)|(udp:32002)|(udp:32006)]
FIELDALIAS-user2 = User_Name as user2

[source::udp:32001]
FIELDALIAS-user = User_Name as user
FIELDALIAS-user3 = User_Name as user3

"user" and "user3" get picked up, "user2" does not. btool picks up the settings and reports the stanza as written in props.conf, so...

Think I'm just going to report a bug and move on.

0 Karma
Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...