Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

configuring props.conf

abhayneilam
Contributor
‎04-03-2013 06:49 AM

Hi,

I have configured my props.conf and mentioned the "sourcetype" but later I dont see that sourcetype listed in the list while adding the data manually through manager-->datainput-->etc

I want to write/make changes in my configuration file so that whaterver the sourcetype I will define here would be listed in the SPLUNK while adding the data manually

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-03-2013 03:22 PM

You just need to add:

pulldown_type = true

to your props.conf config for the sourcetype.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-03-2013 03:22 PM

You just need to add:

pulldown_type = true

to your props.conf config for the sourcetype.

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎04-05-2013 01:59 AM

Don't worry, If gkanapathy says so, just do it. 🙂

0 Karma
Reply
Solved! Jump to solution

abhayneilam
Contributor
‎04-05-2013 01:15 AM

Can you please let me know any other alternative If i dont set this value in props.conf as per Spulnk Document ?

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎04-04-2013 12:43 AM

That is true. But the docs for props.conf say;

# NOT YOURS. DO NOT SET.

0 Karma
Reply
Solved! Jump to solution

jbsplunk
Splunk Employee
Splunk Employee
‎04-03-2013 07:00 AM

If you're saying that you'd like to define a sourcetype at the input level, that is certainly possible.

from inputs.conf.spec

sourcetype = <string>
* Sets the sourcetype key/field for events from this input.
* Primarily used to explicitly declare the source type for this data, as opposed
  to allowing it to be determined via automated methods.  This is typically
  important both for searchability and for applying the relevant configuration for this
  type of data during parsing and indexing.
* Detail: Sets the sourcetype key's initial value. The key is used during
  parsing/indexing, in particular to set the source type field during
  indexing. It is also the source type field used at search time.
* As a convenience, the chosen string is prepended with 'sourcetype::'.
* WARNING: Do not quote the <string> value: sourcetype=foo, not sourcetype="foo".
* If unset, Splunk picks a source type based on various aspects of the data.
  There is no hard-coded default.

I am not entirely sure what your asking, but if you tell splunk via an input stanza to monitor a particular file/directory, and you specify a sourcetype, any data handled by that input stanza will have the specified sourcetype assigned to it's metadata.

0 Karma
Reply
Solved! Jump to solution

abhayneilam
Contributor
‎04-03-2013 07:37 AM

I would explain you rather . When we try to import data manually through the Splunk GUI, we can provide sourcetype either by "Automatic","Manuall" or by "From List" options, I want to configure my splunk so that whatever source type I will define in props.conf file will be shown when I would selecet "From List" Option.
Please let me know if it is still unclear to you

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...