Solved: Is an entry in props.conf required to allow an ent...

msantich · ‎05-09-2016

When the following question was asked in this forum:
What is the role of transforms.conf vs. props.conf for field extraction?

The answer was:

The high-level answer is that props.conf says what rules are applied to any event and when they are applied, and transforms.conf actually defines those rules.

but is the entry in props.conf REQUIRED to map to an entry in transforms.conf so that the rule is applied?

thank you

somesoni2 · ‎05-09-2016

Yes. Props.conf define the entity (host/source/sourcetype) to which rules will be applied and provides a pointer to a transforms.conf entry which actually defines the rule.

View solution in original post

somesoni2 · ‎05-09-2016

Yes. Props.conf define the entity (host/source/sourcetype) to which rules will be applied and provides a pointer to a transforms.conf entry which actually defines the rule.

msantich · ‎05-09-2016

very nice...thank you for the quick answer.

ppablo · ‎05-09-2016

Hi @msantich

Please be sure to resolve the question by clicking "Accept" directly below @somesoni2's answer. Don't forget to do this for all of your posts with answers that solve your issues.

Is an entry in props.conf required to allow an entry in transforms.conf to be effective?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?