- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Why are changes made in props.conf not taking effe...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why are changes made in props.conf not taking effect?
My sample data
AAA, 0.5%
BBB,0.10%
CCC,0.20%
my search looks like this
base search | rex ".*?(?[^,]+),\s*?(?.*)" | table name,value
My entire data comes in as a single event. I want to avoid this.
I am trying to split a single event into multiple events based on new-line delimiter.
my props.conf file have
[app_source]
DATETIME_CONFIG = current
NO_BINARY_CHECK = true
category = Custom
pulldown_type = true
LINE_BREAKER=([\r\n]+)
SHOULD_LINEMERGE=false
MUST_BREAK_AFTER=\%
i placed this props.conf inside the $SPLUNK_HOME/etc/system/local
i restarted the splunkd service.
still changes are not reflecting to my search.
can anyone provide some light?
I am new to Splunk. What to do to resolve this problem?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You show app_source as the stanza for your props.conf. Is that reflective of the source or sourcetype of your data? If the former, it should be source::app_source instead, as per props.conf:
<spec> can be:
1. <sourcetype>, the source type of an event.
2. host::<host>, where <host> is the host, or host-matching pattern, for an
event.
3. source::<source>, where <source> is the source, or source-matching
pattern, for an event.
4. rule::<rulename>, where <rulename> is a unique name of a source type
classification rule.
5. delayedrule::<rulename>, where <rulename> is a unique name of a delayed
source type classification rule.
These are only considered as a last resort
before generating a new source type based on the
source seen.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The props.conf should be kept at the Indexer OR heavy forwarder (first Full Splunk Enterprise version) that comes first in the flow.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i placed inside the $SPLUNK_HOME/etc/search/local.
Is this different from that indexer?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Indexer is the server where data indexing happens. The $SPLUNK_HOME/etc/search/local directory is available in all Splunk instances. Since you're new to Splunk, start reading with distributed architecture of Splunk, to understand different server types, correlated with your Splunk infrastructure and then make the changes (same location) in the server designated as indexer:
http://docs.splunk.com/Documentation/Splunk/6.6.1/Capacity/ComponentsofaSplunkEnterprisedeployment
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
according to my requirement where should i make necessary changes?
Could you please tell me
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can i store props.conf inside $SPLUNK_HOME/var/lib/splunk/defaultdb/db/* this path?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The path is not the problem, it which server. I already provided you the name of the server (indexer/Heavy forwarder) but I can't tell you more specifically as I don't know your environment. How many Splunk servers you have? The server where you're monitoring the file (inputs.conf I assume), does it have Splunk Enterprise or Universal Forwarder installed?
Are you the Splunk admin for your environment? If not, you can get these answered by your admin.
Also, $SPLUNK_HOME/var/lib/splunk/defaultdb/db/* is the path for storing data, DO NOT Place anything there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I installed a windows desktop application.I don't have any forwarders like universal, heavy forwarder. I am trying to learn this , but got stuck here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok.. so you're working out of a Standalone box (which performs all roles of search head, indexer, heavy forwarder). So if you've placed the props.conf in $SPLUNK_HOME/etc/system/local, it's placed in correct location. Keep in mind that a data once indexed will not get updated even if you change the event processing configuration. The new configuration will only be applicable for any new data that will get ingested. Did you upload new data? (old data will remain as it is. If you're just testing, delete all old data and re-index the file).
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
