Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

In which component in the distributed environment should I configure props.conf?

stevenbutterwor
Path Finder
‎09-14-2018 02:12 PM

I am using the universal forwarder(UF) to monitor a directory for a CSV file on a remote server. I have configured inputs.conf on the UF to monitor the dir. I am forwarding the data to a Heavy Forwarder which will then forward to an indexer cluster.

I want to tell Splunk where to find the time field and header line using a source type in props.conf

Which component in the distributed environment needs to have the source type configured? The UF, HF or indexer layer?

Thanks

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-17-2018 03:20 PM

It depends.

  • search time transforms go to the search-head
  • indextime transforms go to the indexers ( and heavy forwarders)
  • structured data (CSV/json) transforms go to the collector (it could be the universal forwarder)

As you are mentioning CSV with INDEXED_EXTRACTIONS = CSV, then it goes on props.conf on the collector, so the UF. The events will not be reparsed again at the indexer level.

Reply

ddrillic
Ultra Champion
‎09-18-2018 07:26 AM

Thank you @yannk for the clear delineation.

0 Karma
Reply

ddrillic
Ultra Champion
‎09-14-2018 02:51 PM

CSV is unique. You should have INDEXED_EXTRACTIONS = CSV on all three props.conf.

0 Karma
Reply

stevenbutterwor
Path Finder
‎09-16-2018 10:48 AM

So I need props at all three layers?

0 Karma
Reply

ddrillic
Ultra Champion
‎09-16-2018 11:00 AM

For the CSV case, you need it at the forwarder level and at the indexer level and from best practices perspective, the three layers should be identical configuration-wise.

0 Karma
Reply

stevenbutterwor
Path Finder
‎09-16-2018 11:55 AM

Excellent, so as long as I have INDEXED_EXTRACTIONS = CSV it should pick up the fields? Or do I need HEADER_FIELD_LINE_NUMBER = 1 also?

0 Karma
Reply

ddrillic
Ultra Champion
‎09-16-2018 06:04 PM

HEADER_FIELD_LINE_NUMBER = 1 is fine or you can let Splunk detect it...

I just used the Add Data feature for a csv file and it shows -

alt text

I deleted all except INDEXED_EXTRACTIONS = CSV and finished the upload. The data and all the fields are extracted and the generated stanza in props.conf is surprisingly - 

[csv_tst]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true

.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...