Refine your search:

What's the best way to track down props.conf problems?

7
9

I'm looking for tips & tricks for tracking down props-related configuration issues. These kind of things can be a pain to track down and generally use up a bunch of time getting to the root cause, so I would like to consolidate some common troubleshooting techniques to refer people to.

Often times these kind of problems are hard to describe beyond "splunk appears to be ignoring my settings"; and most often the truth is that it's not a splunk problem but a configuration problem...

If there are lots of ideas, perhaps the most useful stuff can be put on a community wiki page

Most common mistakes:

  • Knowing when you have to restart splunkd?
  • Config entry typos (Such as saying TRANSFORM instead of TRANSFORMS) These can be difficult to spot.
  • Permissions issues. This is especially difficult if you have props.conf settings in one app and then setup an inputs.conf in a different app. Unless your props entries are exported, you probably will not get the results you are looking for.)
  • Incorrectly named config files. (If you put your config entries is prop.conf (instead of props.conf), splunk will ignore them. Nearly all of the config files are plural.)

asked 25 Jun '10, 19:53

Lowell's gravatar image

Lowell ♦
9.1k623
accept rate: 40%

edited 25 Jun '10, 20:00

3 Answers:
oldestnewestmost voted
13

Splunk provides a few utilities that can greatly speed up the process of tracking down props-related config problems. The first two can even be used to check configuration changes without restarting splunkd. (Although, you need to restart splunkd once you get your configuration issues resolved.)

Splunk "test sourcetype" utility:

This utility will show you all of the relevant props config entries for a given log file. This let's you quickly test your source to sourcetype matching rules are working properly. (Or, it test that any rules:: or delayedrule:: are functioning properly.) It will also reveal simple issues of file permission. I've often found this useful in detecting overlapping source rules or issues with stanza priorities.

Example:

splunk test sourcetype /var/log/your_log_file

Splunk's "btool" utility

This utility can be used to dump a nested configuration for a specific config file or a specific stanza within a config file. You can optionally specify which application you would like to test this from. (Normally you will want to specify whichever application your have your inputs.conf setup to use.)

$SPLUNK_HOME/bin/splunk cmd btool props list <sourcetype>

Splunk | file search command

The file search command in splunk lets you view a local log file as though it were indexed. Not all props settings are honored during this process, but you can often use this to test your setup before adding a new input and catch minor (and sometimes major) problems with timestamp recognition, and event breaking logic before loading anything into your index.

Keep in mind that any settings changes do require a splunkd restart in order to take effect here. (While it's a pain to do so, it's still faster than indexing events improperly and then having to dump your indexes and reload, or try to find and delete incorrectly indexed events.)

Example: (Type this into the search bar)

| file /var/log/your_log_file

If you want to due additional searching on your log file, you can do so with a post-search command, like so:

| file /var/log/your_log_file | search my-search-term NOT unwanted-search-term ...

Splunk's | extract reload=T search command:

This trick is useful once you have your events indexed correctly and would like to setup field extractions. This is helpful if you edit your props.conf or transforms.conf files my hand. You should be able to stick it in your search and have your config changes be reloaded which is much faster and less problematic that restarting splunk. (Oh, and don't forget to remove this command before you save your search--you only want to use this interactively on an as-needed basis)

Additional resources:

link

answered 25 Jun '10, 20:41

Lowell's gravatar image

Lowell ♦
9.1k623
accept rate: 40%

edited 07 Feb '11, 18:57

This just made my day... thanks Lowell!!!

Brian

(25 Jun '10, 20:48) balbano

Glad your found it useful. (Feel free to vote it up!)

(25 Jun '10, 21:05) Lowell ♦

You might want to add that "| extract reload=T" will make changes in props.conf active. It is explained in the beginning of props.conf.spec file so people who edit props.conf will probably know. But sometimes I forget

(27 Jun '10, 09:04) chris

Chris, Your right, the "extract reload=T" is a very helpful thing to know about. (I guess I was originally just thinking about indexing issues, but I agree that it makes sense to mention it here.) I've added a note about it.

(28 Jun '10, 15:20) Lowell ♦
1

Probably worth noting the --debug and --app options on btool. --app in particular will probably help catch many problems.

(14 Aug '10, 18:43) gkanapathy ♦
1

Lowell, this is fantastic, I had been working some issues around props.conf but it would have taken me months to resolve indexing a few records at a time. With these steps I had great success and have ironed out the majority of my issues.

Brian

link

answered 20 Oct '10, 20:47

brianirwin's gravatar image

brianirwin
3814
accept rate: 20%

Glad to hear it.

(20 Oct '10, 22:30) Lowell ♦
1

Some people have found this useful: http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F

link

answered 21 Oct '10, 00:33

gkanapathy's gravatar image

gkanapathy ♦
24.1k1620
accept rate: 43%

Wow. That is a great page, I don' think I had seen that page before. Thank's for pointing it out. (For the sake of a consolidated answer, I've added this link under "Additional resources" on the answer above). Thanks!

(21 Oct '10, 18:53) Lowell ♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×31
×17

Asked: 25 Jun '10, 19:53

Seen: 1,701 times

Last updated: 07 Feb '11, 18:57

Related questions

Can an API search cause Splunk to hang?

What is the best custom log event format for Splunk to eat?

Best Practise: Different Log Sources

I know the data is in the index, why didn't my scheduled search find all of the events?

Pros and Cons: External lookup script vs custom search command?

Best practices for large number of alerts

Data from forwarder arrives at the indexer but does not get indexed

Making a lookup optional? (Or, how to build a multi-level lookup?)

What are some best practices for index creation?

Why is AMMap not generating the flash-based map?

Copyright © 2005-2012 Splunk, Inc. All rights reserved.