Getting Data In

After configuring an automatic lookup in props.conf, why is this now taking precedence over another stanza with the same sourcetype?

ronaldsc
New Member

Hello all,

Hoping someone could help clarify and hopefully help figure out an issue I've run into. I created an automatic lookup table to add some details to my event data. I created a new props.conf and added a sourcetype within the props.conf. I configured the lookup file in global context and deployed the props.conf under /app/app_name/local directory. Now for some reason, the sourcetype I added in the props.conf file which is deployed under /app/app_Name/local is taking precedence over another props.conf that I have out there with the same sourcetype which handles a lot of normalization. Question is, why is this happening and what is the best workaround or way to tackle this problem. Thanks all.

For example:
Props.conf for automatic lookup

[distributor:remote]
LOOKUP-table = logs_per_day host OUTPUTNEW average_logs AS logs_per_day

Global master Props.conf This props.conf is no longer being loaded since the one above was deployed

[distributor:remote]
SEDCMD-moveheader = s/^\<\?xml[^\>]*\>\n*//g
EXTRACT-extract_ip = (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
bunch of other things.
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi ronaldsc,

read the docs http://docs.splunk.com/Documentation/Splunk/6.3.3/Admin/Wheretofindtheconfigurationfiles about .conf precedence.
Some time ago I learned that:

When different copies have conflicting attribute values (that is, when they set the same attribute to different values), Splunk uses the value from the file with the highest priority.

Looking at your examples there is no conflict.

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi ronaldsc,

read the docs http://docs.splunk.com/Documentation/Splunk/6.3.3/Admin/Wheretofindtheconfigurationfiles about .conf precedence.
Some time ago I learned that:

When different copies have conflicting attribute values (that is, when they set the same attribute to different values), Splunk uses the value from the file with the highest priority.

Looking at your examples there is no conflict.

Hope this helps ...

cheers, MuS

0 Karma

ronaldsc
New Member

Thanks for the quick reply, MuS. When you say you see no conflict what exactly do you mean? Based on the documentation you pointed me to it would seem that my sourcetype stanza in the newer props.conf would take precedence over the one under my TA directory since the custom app name comes before the TA path. Does this mean the one in TA gets ignored completely or does it mean that only duplicate declarations are ignored?

0 Karma

MuS
SplunkTrust
SplunkTrust

Only duplicates will be taken form the higher precedence .conf file

0 Karma

MuS
SplunkTrust
SplunkTrust
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...