Documentation: 3.1.3
Print Version Contents
This page last updated: 09/24/07 09:09am

props.conf

Props.conf controls what parameters apply to events during indexing based on settings tied to each event's source, host, or sourcetype.

To edit this configuration for your local Splunk server, make your edits in $SPLUNK_HOME/etc/bundles/local/props.conf.

You can create this file by copying examples from $SPLUNK_HOME/etc/bundles/README/props.conf.example.

Never edit files in our default bundle in $SPLUNK_HOME/etc/bundles/default or your changes may be overwritten in an upgrade.

props.conf.spec

# Copyright (C) 2005-2007 Splunk Inc.  All Rights Reserved.  Version 3.0 
#

# This file contains all possible options for a "props.conf" file.
#
# The processing properties of Splunk are configured through the files
# $Splunk_HOME/etc/bundles/<bundle name>/props.conf
#

# A configuration looks like:

[<spec>]
attribute1 = val1
attribute2 = val2
...

<spec> can be:
1. <sourcetype>, the sourcetype of an event 
2. host::<host>, where <host> is the host for an event
3. reportinghost::<host>, where <host> is the reporting host for an event
4. source::<source>, where <source> is the source for an event

If the same <spec> is found in two bundle directories, the following
precedence rules apply. Attributes in the "local" bundle are read first and
attributes in the "default" bundle are read last. Attributes in the
other bundles are loaded in alphabetical order of bundle name.

Overriding is performed attribute by attribute, so if a specific
attribute is not specified in "local", but in another bundle,
it will be taken from that other bundle.

The possible attributes/value pairs, and their default values, are:

# International characters

CHARSET = <string> (ASCII)
  * When set, Splunk will assume input from that source is in the specified
    encoding.  A list of valid encodings can be retrieved using the command
    "iconv -l" on most Unix systems.  If an invalid encoding is specified, a
    warning will be logged during initial configuration and further input from
    that spec will be discarded.  If the source encoding is valid, but some
    characters from the spec are not valid in the specified encoding, then
    the characters will be escaped as hex (e.g, "\xF3").

# Line breaking

TRUNCATE = <non-negative integer> (10000)
  * Change the default maximum line length.  Set to 0 if you don't want
    truncation ever (very long lines are, however, often a sign of garbage
    data).

# Multiline events

SHOULD_LINEMERGE = <bool> (True)
  * When set to true Splunk can combine several input lines into a single
    event, based on the following configuration attributes.

# The following are used only when SHOULD_LINEMERGE = True

AUTO_LINEMERGE = <bool> (True)
  * Directs Splunk to use automatic learning methods to determine
    where to break a stream of lines into events.

BREAK_ONLY_BEFORE_DATE = <bool> False
  * When set, Splunk will create a new event if and only if it encounters
    a new line with a date.

BREAK_ONLY_BEFORE = <regular expression> (Empty)
  * When set, Splunk will create a new event if and only if it encounters
    a new line that matches the regular expression

MUST_BREAK_AFTER = <regular expression> (Empty)
  * When set, and the regular expression matches the current line,
    Splunk is guaranteed to create a new event for the next input line.
    Splunk may still break before the current line if another rule matches.

MUST_NOT_BREAK_AFTER = <regular expression> (Empty)
  * When set and the current line matches the regular expression, Splunk will
    not break on any subsequent lines until the MUST_BREAK_AFTER expression
    matches. 

MAX_EVENTS = <integer> (256)
  * Specifies the maximum number of input lines that will be added to any
    event. Splunk will break after the specified number of lines are read.
     
# end of linemerging configuration

# Timestamp extraction configuration

DATETIME_CONFIG = <filename relative to Splunk_HOME> (/etc/datetime.xml)
  * Specifies the file to configure the timestamp extractor.
    This configuration may also be set to "NONE" to prevent the timestamp
    extractor from running or "CURRENT" to assign the current system time
    to each event.

MAX_TIMESTAMP_LOOKAHEAD = <integer> (150)
  * Specifies how far into an event Splunk should look for a timestamp.

TIME_PREFIX = <regular expression> (empty)
  * Specifies the necessary condition for a timestamp to be extracted. Also,
    the timestamping algorithm will only look for a timestamp after the
    prefix in the event.

TIME_FORMAT = <strptime-style format> (empty)
  * Specifies a strptime format string to extract the date. This method of
    date extraction does not support in-event timezones. It starts reading
    after the TIME_PREFIX. It must contain the hour, minute, month, and day.

TZ = <posix timezone string> (Empty)
  * The algorithm for determining the time zone for a particular event is
    as follows:
      - if the event has a timezone in its raw text (e.g., UTC, -08:00),
        use that as the timezone for the event.
      - if TZ is set to a valid timezone string,
        use that as the timezone for the event.
      - otherwise use the timezone of the system that is running splunkd.

MAX_DAYS_AGO = <integer> (730) which is the number of days in 5 years

  * Specifies the maximum number days ago, from the current date, for
    an extracted date to be valid.  If set to 10, for example, dates
    that were older than 10 days old would be ignored.  The tighter
    the window of dates the system is allowed to extract, the less
    likely are false positives.  The default value is the number of
    days in 2 years.  When using Splunk on timestamps that are older
    than 2 years, this value will need to be increased.

MAX_DAYS_HENCE = <integer> (1)

  * Specifies the maximum number days in the future, from the current
    date, for an extracted date to be valid.  If set to 3, for
    example, dates that were more than 3 days in the future would be
    ignored.  The tighter the window of dates the system is allowed to
    extract, the less likely are false positives.  The default value
    is to allow dates that are tomorrow.  If you deal with dates
    coming from machines which have the wrong date set or for which
    their timezone is already in the next day, increase this value to
    a few days.

# end of timestamp extraction configuration

# Transform configuration
TRANSFORMS<class> = <"transform name","transform name",...> {see transforms.conf.spec}
  * Splunk configures classes of regular expressions for each event.
    For each class, Splunk takes the configuration from the highest precedence
    configuration block. This means that if a particular class is
    specified for a source, it will override the same class if it is specified
    for a sourcetype. Similarly, if a particular class is specified in the
    local bundle for a sourcetype, it will override that class for the
    default bundle for that sourcetype.
 
    The following is an example TRANSFORMS class in the default bundle for
    all sourcetypes:

TRANSFORMS-annotation = filetype,loglevel,os,browser,language,ip,email,url

# Report configuration
REPORT<class> = <"transform name","transform name",...> {see transforms.conf.spec}
  * Like TRANSFORMS, this configures extractions, but those which should be
    run only at report time. Moreover, TRANSFORMS are not run at report time,
    only at index time.

KV_MODE = {"none", "auto", "multi"} ("auto")
  * Specifies the key/value extraction mode for the data. "none" causes no
    key/value extraction to take place. "auto" extracts key/value pairs
    separated by equal signs. "multi" invokes multikv to expand a tabular
    event into multiple events.

# Source Type configuration
sourcetype = <string> (Empty)
  * If set for a [source::...] block, it will cause that source to be
    assigned the specified sourcetype.

invalid_cause = <string> (Empty)
  * If set for a [sourcetype] block, it will cause sources of that
    sourcetype to not be read.

preprocessing_script = <string> (Empty)
  * If set for a [sourcetype] block, it will cause Splunk tailing 
    to not eat files of that type and batch processing to run that
    script to preprocess those files using the binary found in
    $Splunk_HOME/bin.

pulldown_type = <true | false> 
 * If set to true the sourcetype will be listed in the drop-down
    list of available sourcetypes when configuring an input via
    the web interface. 

# Segmentation configuration
SEGMENTATION = <string>
  * Specifies the segmenter from segmenters.conf to use at index time.

SEGMENTATION-<segment selection> = <string>
  * Specifies that the SplunkWeb should use the given segmenter for the 
    given segment selection choice. Example segment selection choices
    are all, inner, outer, raw.

# File checksum configuration
CHECK_METHOD = <string> (endpoint_md5)
  * By default, if the checksums of the first and last 256 bytes of a file
    match existing stored checksums, the file is considered to have been
    indexed already, and thus is ignored.  Setting this to "entire_md5"
    causes the checksum of the entire file to be used.  Alternatively, the
    "modtime" method bases the check on only the modification time of the file.
    Using a method other than the default causes the entire file to be
    reprocessed when a change is detected.
Previous: prefs.conf    |    Next: savedsearches.conf

Comments

No comments have been submitted.

Log in to comment.