props.conf (cont)
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
props.conf (cont)
props.conf.spec, continued
#******************************************************************************
# Sourcetype configuration
#******************************************************************************
sourcetype = <string>
* Can only be set for a [<source>::...] stanza.
* Anything from that <source> is assigned the specified sourcetype.
* Defaults to empty.
# The following attribute/value pairs can only be set for a stanza that begins with [<sourcetype>]:
invalid_cause = <string>
* Can only be set for a [<sourcetype>] stanza.
* Splunk will not index any data with invalid_cause set.
* Set <string> to "archive" to send the file to the archive processor (specified in unarchive_cmd).
* Set to any other string to throw an error in the splunkd.log if running Splunklogger in debug mode.
* Defaults to empty.
is_valid = <true/false>
* Automatically set by invalid_cause.
* DO NOT SET THIS.
* Defaults to true.
unarchive_cmd = <string>
* Only called if invalid_cause is set to "archive".
* <string> specifies the shell command to run to extract an archived source.
* Must be a shell command that takes input on stdin and produces output on stdout.
* DOES NOT WORK ON BATCH PROCESSED FILES. Use preprocessing_script.
* Defaults to empty.
LEARN_MODEL = <true/false>
* For known sourcetypes, the fileclassifier will add a model file to the learned bundle.
* To disable this behavior for diverse sourcetypes (such as sourcecode, where there is no good
exemplar to make a sourcetype) set LEARN_MODEL = false.
* Defaults to empty.
maxDist = <integer>
* Determines how different a sourcetype model may be from the current file.
* The larger the value, the more forgiving.
* For example, if the value is very small (e.g., 10), then files of the specified
sourcetype should not vary much.
* A larger value indicates that files of the given sourcetype vary quite a bit.
* Defaults to 300.
# rule:: and delayedrule:: configuration
MORE_THAN<optional_unique_value>_<number> = <regular expression> (empty)
LESS_THAN<optional_unique_value>_<number> = <regular expression> (empty)
An example attribute value would be:
[rule::bar_some]
sourcetype = source_with_lots_of_bars
# if more than 80% of lines have "----", but less than 70% have "####"
# declare this a "source_with_lots_of_bars"
MORE_THAN_80 = ----
LESS_THAN_70 = ####
A rule can have many MORE_THAN and LESS_THAN patterns, and all
are required for the rule to match.
#******************************************************************************
# Segmentation configuration
#******************************************************************************
SEGMENTATION = <string>
* Specifies the segmenter from segmenters.conf to use at index time.
* You can set segmentation for any of the <spec> outlined at the top of this file.
SEGMENTATION-<segment selection> = <string>
* Specifies that SplunkWeb should use the a specific segmenter for the given <segment selection>
choice.
* Example segment selection choices are: all, inner, outer, raw.
#******************************************************************************
# Binary file configuration
#******************************************************************************
NO_BINARY_CHECK = <bool>
* When set to true, Splunk will process binary files.
* By default, binary files are ignored.
* Defaults to false.
#******************************************************************************
# File checksum configuration
#******************************************************************************
CHECK_METHOD = <entire_md5, modtime>
* By default, if the checksums of the first and last 256 bytes of a file match existing stored
checksums, Splunk lists the file as already indexed and thus ignores it.
* Set this to "entire_md5" to use the checksum of the entire file.
* Alternatively, set this to "modtime" to check only the modification time of the file.
* Defaults to endpoint_md5.
#******************************************************************************
# Internal settings
#******************************************************************************
# NOT YOURS. DO NOT SET.
_actions = <string> ("new,edit,delete")
* Internal field used for user-interface control of objects.
* Defaults to "new,edit,delete".
pulldown_type = <bool>
* Internal field used for user-interface control of sourcetypes.
* Defaults to empty.
props.conf.example
# Copyright (C) 2005-2008 Splunk Inc. All Rights Reserved. Version 3.0
#
# The following are example props.conf configurations. Configure properties for your data.
#
# To use one or more of these configurations, copy the configuration block into
# props.conf in your own custom bundle.
#
# For help creating a bundle directory, or to learn more about bundles (including bundle precedence)
# please see the documentation located at http://www.splunk.com/doc/latest/admin/bundleconfig.
########
# Line merging settings
########
# The following example will linemerge source data into multi-line events for apache_error sourcetype.
[apache_error]
SHOULD_LINEMERGE = True
########
# Settings for tuning
########
# The following example limits the amount of characters indexed per event from host::small_events.
[host::small_events]
TRUNCATE = 256
# The following example turns off DATETIME_CONFIG (which can speed up indexing) from any path
# that has ends in /mylogs/*.log.
[source::.../mylogs/*.log]
DATETIME_CONFIG = NONE
########
# Timestamp extraction configuration
########
# The following example sets Eastern Time Zone if host matches nyc*.
[host::nyc*]
# from 2007 onward
TZ = EST-5EDT,M3.2.0,M11.1.0
# 2006 and before:
# TZ EST-5EDT,M4.1.0/02:00:00,M10.5.0/02:00:00
# The following example uses a custom datetime.xml that has been created and placed in a custom bundle.
# This will set all events coming in from hosts starting with LA to use this custom file.
[host::LA*]
DATETIME_CONFIG = <etc/bundles/custom_time/datetime.xml>
########
# Transform configuration
########
# The following example will create a search field for host::foo if tied to a stanza in transforms.conf.
[host::foo]
TRANSFORMS-foo=foobar
# The following example will create an extracted field for sourcetype access_combined
# if tied to a stanza in transforms.conf.
[eventtype::my_custom_eventtype]
REPORT-baz = foobaz
########
# Sourcetype configuration
########
# The following example sets a sourcetype for the file web_acces.log.
[source::.../web_access.log]
sourcetype = splunk_web_access
# The following example will untar syslog events.
[syslog]
invalid_cause = archive
unarchive_cmd = gzip -cd -
# The following example learns a custom sourcetype and limits the range between different examples
# with a smaller than default maxDist.
[custom_sourcetype]
LEARN_MODEL = true
maxDist = 30
# rule:: and delayedrule:: configuration
# The following examples create sourectype rules for custom sourcetypes with custom regex.
[rule::bar_some]
sourcetype = source_with_lots_of_bars
MORE_THAN_80 = ----
[delayed::baz_some]
sourcetype = my_sourcetype
LESS_THAN_70 = ####
########
# File configuration
########
# Binary file configuration
# The following example will eat binary files from the host::sourcecode.
[host::sourcecode]
NO_BINARY_CHECK = true
# File checksum configuration
# The following example will check the entirety of every file in the web_access dir rather than
# skipping files that appear to be the same.
[source::.../web_access/*]
CHECK_METHOD = entire_md5
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.