Hi Giuseppe,

A good suggestion! I would like to try it, but which one is the correct path of "props.conf" file? I found many files use the same name in Splunk installation folder.

Hi lllidan,
you can put your props.con in every "local" folder you have in your Splunk installation (never in "default" folders!) but it's better to insert it in the App where you're working.
If you didn't create an App or you are working in the "Search" App, I suggest, before start to create searches, to create an empty App and then create all the objects in this App.
The important thing is to identify sourcetype of your logs and then use this sourcetype in props.conf.

Bye.
Giuseppe

Hi Giuseppe,
do you meant I should copy "$Splunk_Home\etc\system*default**props.conf" file to "$Splunk _Home\etc\system**local**props.conf*" ? and modify the parameter "truncate = 0".

Does this method will influence "Search" App?
And how to create an empty APP in Splunk ?
thanks for your patience and time as well. to be honest, I'm a layman on this field.
Kr.,
Lllidan

Hi lllidan,
About the first question: yes, you never must modify default folders files, every time you have to copy props.con (or another file) from default to local and them modify it as you like.
If you don't do this, at first upgrade you lose all you modified.
You can see the same behavior when you modify something by web: there's a copy of your file with upgrades in local folders.
If you prefer, you can create an empty props.conf in local folder and add only the stanza name (e.g. [mysourcetype]) and the option you want (e.g. TRUNCATE = 0), because all the other options are from the default file, something like this:

[mysourcetype]
TRUNCATE = 0

About the second question: this configuration will influence all the ingestions of your sourcetype, it doesn't depends on the position of the props.conf file.

About the third question: to create a new App click on "Manage Apps" button and then "Create App" button.

I suggest to follow at least the Fundamentals I course (it's free) and some tutorial
https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchTutorial/WelcometotheSearchTutorial
https://www.tutorialspoint.com/splunk/index.htm

Bye.
Giuseppe

P.S.: if you're satisfied of this answer, please accept and/or upvote it, thank you.

Hi Giuseppe,

thanks for you kindly help, do follow that operation, but nothing change.
Actually, I need display more log contents in "file extractor" page to extract hided field.
I share two pictures to you to explain this situation, hope you can browse that.
https://pan.baidu.com/s/1g2rD1eSqtwgtziCTE_u3ow
https://pan.baidu.com/s/1LsKmOpYvGn8jEZvYqVTMkA

I really appreciate your help .

to answer your questions:
1. do you meant I should copy "$Splunk_Home\etc\system*default*props.conf" file to "$Splunk
_Home\etc\system*local*props.conf" ? and modify the parameter "truncate = 0".
Ans: yes, you can do it
2. Does this method will influence "Search" App? - yes, the \etc\system\local directory takes precedence over \etc\system\default , check thispage for more information on splunk directories and their precedence
3. And how to create an empty APP in Splunk ? - look here