How to configure props.conf for two different log ...

iherre312 · ‎10-15-2015

I have a two different props.conf stanzas for two different log types (i.e., bluecoat and bluecoat_proxysg). What is the best way to handle props.conf? Should I just create a separate sourcetype for each? The timestamps are in different formats and locations in the events.

rphillips_splk · ‎10-15-2015

If your timestamps for the two different types of log types are different then it makes sense to put them into different sourcetypes. The rules you apply to those sourcetypes can be applied based on the sourcetype in props.conf. If you're defining search-time extractions those would be applied to the sourcetype in props.conf on the search head. If you are defining index-time extractions, defining line-breaking , timestamp format, or using transforms etc those would be applied to the sourcetype in props.conf on the indexers. If you are using structured data header extractions such as INDEXED_EXTRACTIONS those would go into props.conf on the forwarder. Depending on your data and needs you could end up with props.conf configurations on all 3 instances for a given sourcetype or a combination of such.

How to configure props.conf for two different log types: bluecoat and bluecoat_sg?

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability

Introducing the Splunk Community Dashboard Challenge!