Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit the configuration files?

bhupinder_singh
Explorer
‎06-20-2012 05:04 PM

I am new to splunk. Could anyone please tell me how should I proceed in editing the .conf files in local directory? Are these changes critical to the parsing of the log files before they are indexed for search? I know that the inputs.conf and sourcetypes.conf has to be changed but I am not getting the required fields as per the log files, even if I do not make any changes at all.

Thanks.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎06-20-2012 06:19 PM

The best place to start is here.

http://docs.splunk.com/Documentation/Splunk/5.0/Tutorial/GetthesampledataintoSplunk

For the basics of adding data to Splunk this will make changes to the config files for you. For more advanced data there are examples and details in our online documentation as well.

View solution in original post

Reply
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎06-20-2012 06:19 PM

The best place to start is here.

http://docs.splunk.com/Documentation/Splunk/5.0/Tutorial/GetthesampledataintoSplunk

For the basics of adding data to Splunk this will make changes to the config files for you. For more advanced data there are examples and details in our online documentation as well.

Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎06-21-2012 02:52 PM

I would recommend trying the field extractor. That might help you get some of the extractions that aren't discovered automatically.

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/ExtractfieldsinteractivelywithIFX

0 Karma
Reply
Solved! Jump to solution

bhupinder_singh
Explorer
‎06-21-2012 01:47 PM

I have read this in a good many places that rather than playing with config files beforehand, it is always better to do it after providing the input and parsing , i.e. - dynamic searching. This may result in addition of fields when we use regex on the log event entries in the index obtained from Splunk.
But making changes with regex for a particular field, then obtaining one of use and then saving it is also not an easy task, especially if you are not good at regex.

Thanks.

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎06-20-2012 08:45 PM

Usually parsing rules and field extraction (index time and search-time) are in props.conf organized per sourcetype

For index time, add it on the indexer, for search-time, on the search-head (if any).

Remarks :

  • never edit the /default/ always create a new file in /local/ to contains your new settings and modifications.
  • If you edit a config file, restart the splunk instance to apply.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...