props.conf - Add or override processing properties

props.conf - Add or override processing properties

These parameters add or reconfigure processing properties inside the Splunk Server. Properties are exposed by individual processors within a Splunk pipeline.

Filename

• props.conf (within any subdirectory of $SPLUNK_HOME/etc/bundles/)

Format

[<spec>]
attribute1 = val1
attribute2 = val2
...

Spec

• <sourcetype>

the sourcetype of an event 

• host::<host>

where <host> is the host for an event

• reportinghost::<host>

where <host> is the reporting host for an event

• source::<source>

where <source> is the source for an event

Attributes

If the same <spec> is found in two bundle directories, the following

precedence rules apply.

• Attributes in the "local" bundle are read first.
• Attributes in other bundles except "default" are loaded in alphabetical order of bundle name.
• Attributes in the "default" bundle are read last.

Overriding is performed attribute by attribute.

Linemerging

• SHOULD_LINEMERGE = <bool> (True)

 When set to true splunk can combine several input lines into a single

   event, based on the following configuration attributes.

The following are used only when SHOULD_LINEMERGE = True

• AUTO_LINEMERGE = <bool> (True)

Directs splunk to use automatic learning methods to determine

   where to break a stream of lines into events.

• BREAK_BEFORE_DATE = <bool> (True)

When set to true, splunk will create a new event when it encounters

   a new line with a timestamp. It will also emit an event containing

   all lines since the last new event was created. Note that splunk

   will still create a new event unless there is a rule that says

   not to break or the automatic learning method determines

   that splunk should not break.

• MUST_BREAK_BEFORE = <regular expression> (^\s*$)

 Note   Deprecated.  

When set, splunk will create a new event when it encounters a new line

   that matches the regular expression. This is similar to BREAK_BEFORE_DATE.

• BREAK_ONLY_BEFORE_DATE = <bool> False

When set, splunk will create a new event if and only if it encounters

   a new line with a date.

• BREAK_ONLY_BEFORE = <regular expression> (Empty)

When set, splunk will create a new event if and only if it encounters

   a new line that matches the regular expression

• MUST_BREAK_AFTER = <regular expression> (Empty)

When set, and the regular expression matches the current line,

   splunk is guaranteed to create a new event for the next input line.

   Splunk may still break before the current line if another rule matches.

• MUST_NOT_BREAK_AFTER = <regular expression> (Empty)

When set and the current line matches the regular expression, splunk will

   not break on any subsequent lines until the MUST_BREAK_AFTER expression

   matches. 

• MAX_EVENTS = <integer> (256)

Specifies the maximum number of input lines that will be added to any

   event. Splunk will break after the specified number of lines are read.

Timestamp extraction configuration

• DATETIME_CONFIG = <filename relative to SPLUNK_HOME> (/etc/datetime.xml)

Specifies the file to configure the timestamp extractor.

   This configuration may also be set to "NONE" to prevent the timestamp

   extractor from running or "CURRENT" to assign the current system time

   to each event.

• MAX_TIMESTAMP_LOOKAHEAD = <integer> (150)

Specifies how far into an event splunk should look for a timestamp.

File format handling

• NO_BINARY_CHECK = <bool> False

Specifies whether all file inputs should be processed without first checking to see if they may be unparsable binary data. By default, Splunk skips over files that appear to be binaries, since there will be no searchable fields in them unless they're preprocessed first. This property can only be applied to sources.

Typing configuration

• TYPING_CONFIG = <filename relative to SPLUNK_HOME>

               (/etc/event-types/current/default.xml)

Specifies the file to configure the event typer.

   This configuration may also be set to "NONE" to prevent the event typer

   from running.

• AUTO_TAG = <bool> (False)

Specifies whether to automatically tag new event types with important

   keywords from events of that event type.

Regex configuration

• REGEXES<class> = <"regex name","regex name",...> {see regexes.conf.spec}

Regular expressions can be defined in regex.conf files.  Splunk configures classes of regular expressions for each event.

   For each class, splunk takes the configuration from the highest precedence

   configuration block. This means that if a particular class is

   specified for a source, it will override the same class if it is specified

   for a sourcetype. Similarly, if a particular class is specified in the

   local bundle for a sourcetype, it will override that class for the

   default bundle for that sourcetype.

   The following is an example REGEXES class in the default bundle for

   all sourcetypes:

REGEXES-annotation = filetype,loglevel,os,browser,language,ip,email,url

Source Type configuration

• sourcetype = <string> (Empty)

If set for a [source::...] block, it will cause that source to be

   assigned the specified sourcetype.

Examples

• If host matches nyc* then set Eastern Time Zone. Splunk understands the POSIX time zone format.

[host::nyc.*]
TZ = EST-5EDT01:00:00,M4.1.0/02:00:00,M10.5.0/02:00:00

• If the sourcetype is apache_error,

linemerge source data into multi-line events.

[apache_error]
SHOULD_LINEMERGE = True

• If the source matches, turn on auto-tagging.

The tags will be based on useful-looking words in events

during typing process.

[source::...datatotag.*]
AUTO_TAG = 1

• Use the shipped syslog-regex in regex-props.conf to extract meta events.

[source::...sysloglikesource.*]
REGEXES = syslog-regex

• Use the regex access-ip in overlay-regex-props.conf to extract meta-events.

[source::...access.*]
REGEXES = access-ip