Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I unable to set sourcetype in props.conf?

Michael
Contributor
‎02-09-2017 09:30 AM

I have a syslog feed sending me firewall data from a linux system. It calls that sourcetype syslog, of course.

I'm following the docs here:
http://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Createsourcetypes

and have added the stanza in my props.conf:

[source::/var/log/firewall.log]
sourcetype = firewall

And it doesn't work.

I see in some places (online docs and answers, and in the default/props.conf) that it uses the stanza format with leading "...":

[source::.../var/log/firewall.log]
sourcetype = firewall

I tried that as well, no work.

True to Splunk documentation, it doesn't say WHERE in a clustered environment I need to put this. So, I slowly added it at every level, still no workie. I added that props to the forwarders. I added it to the indexers (deployed via master). I added it to the search heads.

thoughts?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-10-2017 12:55 AM

Hi Michael,
you have to associate your sourcetype to your data flow in inputs.conf (see http://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Inputsconf), e.g.:

[udp://syslog.corp.company.net:514]
sourcetype = syslog
...

and define your sourcetype's features in props.conf (see http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf), e.g.:

[syslog]
SHOULD_LINEMERGE = True
...

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

omuelle1
Communicator
‎02-10-2017 06:01 AM

Hi,

you need to use inputs.conf to define the source of data that is being ingested. I see how the naming there can be confusing. If your data for that Linux firewall is forwarded, you should have inputs.conf with the source on the forwarders and the indexer.

In inputs.conf you then specify the sourcetype, so you don't have to use it again in in props.conf.

Inputs.conf:

[source::/var/log/firewall.log]
sourcetype = firewall
index =  (if you don't use an index here,  it will go to main)

props.conf:

[firewall]
SHOULD_LINEMERGE = True
...
..
0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-10-2017 12:55 AM

Hi Michael,
you have to associate your sourcetype to your data flow in inputs.conf (see http://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Inputsconf), e.g.:

[udp://syslog.corp.company.net:514]
sourcetype = syslog
...

and define your sourcetype's features in props.conf (see http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf), e.g.:

[syslog]
SHOULD_LINEMERGE = True
...

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

Michael
Contributor
‎02-10-2017 05:53 AM

Thank you Guiseppe, I will try that.

Do you have any idea WHERE I do that? Forwarders? Indexers? Search-heads? I'll try them one at a time and see what happens.

I sure wish the documentation would have mentioned that little tidbit, that it needs to be in both...

0 Karma
Reply
Solved! Jump to solution

Michael
Contributor
‎02-10-2017 11:12 AM

Thank you sir. That did the trick.

I added them to the forwarder.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-10-2017 06:10 AM

Hi Michael,
inputs.conf usually is on:

  • Forwarders for inputs from files or scripts or Windows,
  • Indexers or Heavy Forwarders for inputs from syslog coming from outside, or files or scripts or Windows that are on the same Indexer.

props.conf is usually on Indexers and Search Heads, except for csv files monitoring that must be also on Forwarders.

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

sarvesh_11
Communicator
‎04-04-2019 12:23 AM

Hey @gcusello ,

If i describe about sourcetype in props.conf in forwarder itself, then will that be considered?
props.conf either in system/default or system/local/props.conf., not in specific app.

Thanks,
Sarvesh

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎02-09-2017 09:46 AM

I haven't had to do that yet, but have you tried using the GUI to have splunk figure out the right syntax for you?

http://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Setsourcetype

0 Karma
Reply
Solved! Jump to solution

Michael
Contributor
‎02-09-2017 10:32 AM

Not yet. I did see that. Maybe tomorrow, I need to do something productive for the rest of the afternoon...

I guess after using Splunk for the half-dozen years that I have, and continually RTFM, only to have what it says NOT work, is starting to wear way thin...

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...