Source type settings in props.conf

Source type settings in props.conf

There are source type specific settings in props.conf. Specify settings for a source type using the following attribute/value pairs. Add sourcetype stanza to $SPLUNK_HOME/etc/bundles/local/props.conf or create your own custom bundle directory. Please read more about how configuration files work.

Note: The following attribute/value pairs can only be set for a stanza that begins with [<$SOURCETYPE>]:

invalid_cause = <string>

• Can only be set for a [<sourcetype>] stanza.
• Splunk will not index any data with invalid_cause set.
• Set <string> to "archive" to send the file to the archive processor (specified in unarchive_cmd).
• Set to any other string to throw an error in the splunkd.log if running Splunklogger in debug mode.
• Defaults to empty.

unarchive_cmd = <string>

• Only called if invalid_cause is set to "archive".
• <string> specifies the shell command to run to extract an archived source.
• Must be a shell command that takes input on stdin and produces output on stdout.
• DOES NOT WORK ON BATCH PROCESSED FILES. Use preprocessing_script.
• Defaults to empty.

LEARN_MODEL = <true/false>

• For known sourcetypes, the fileclassifier will add a model file to the learned bundle.
• To disable this behavior for diverse sourcetypes (such as sourcecode, where there is no good exemplar to make a sourcetype) set LEARN_MODEL = false.
  • More specifically, set LEARN_MODEL to false if you can easily classify your source by its name or a rule and there's nothing gained from trying to analyze the content.
• Defaults to empty.

maxDist = <integer>

• Determines how different a sourcetype model may be from the current file.
• The larger the value, the more forgiving.
• For example, if the value is very small (e.g., 10), then files of the specified sourcetype should not vary much.
• A larger value indicates that files of the given sourcetype vary quite a bit.
• Defaults to 300.