When working in Splunk, you can earn major magician status with all of the magic tricks you can do with your data. Every magician needs to prepare for their tricks… and in the case of Splunk, that preparation comes through data onboarding. That’s where the Magic 8 props.conf configurations come in to help you set up for your big “abracadabra” moment.
The Magic 8 (formerly known as the Magic 6), are props.conf configurations to use when you build out props for data – these are the 6-8 configurations that you absolutely need. Why? Splunk serves us with a lot of automation.. but as we know, the auto ”magic” parts don’t always get it right. Or at least, it can be pretty basic and heavily lean on default settings.
While you’re watching the video, take a look at this resource, The Aplura Cheat Sheet (referenced in the video).
What is props.conf?
Props.conf is one of the most common configuration files you’ll interact with as a Splunk admin, specifically relating to data ingest. You’ll see these configurations used often for line breaking, time stamp configurations, applications of transforms (along with transforms.conf), and some field extractions.
There are two categories of props.conf configurations: line breakers and time stamp configurations. Both are represented in the Magic 8 configurations.
What are the Magic 8 Configurations for props.conf?
The Magic 8 configurations you’ll need are…
- SHOULD_LINEMERGE = false (always false)
- LINE_BREAKER = regular expression for event breaks
- TIME_PREFIX = regex of the text that leads up to the timestamp
- MAX_TIMESTAMP_LOOKAHEAD = how many characters for the timestamp
- TIME_FORMAT = strptime format of the timestamp
- TRUNCATE = 999999 (always a high number)
- EVENT_BREAKER_ENABLE = true*
- EVENT_BREAKER = regular expression for event breaks*
To find a full list of props.conf configurations, see props.conf.spec.
Why use Magic 8 Configurations for props.conf?
There are specific use cases like testing data sources and manually uploading test log files that require the application of specific configurations in order to get the outcome you’d like to see once your logs are ingested.
Although there are technical add-ons available via Splunkbase, you’ll occasionally come across custom log sources that don’t have these configurations available for use beforehand. If you are setting up custom data sources, you’ll want to be familiar with the magic 8 configurations for props.conf.
Splunk Pro Tip: This type of work can be a considerable resource expense when executing it in-house. The experts at Kinney Group have several years of experience architecting, creating, and solving in Splunk. With Expertise on Demand, you’ll have access to some of the best and brightest minds to walk you through simple and tough problems as they come up.
If you found this helpful…
You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.
Cue Atlas Assessment: Instantly see where your Splunk environment is excelling and opportunities for improvement. From download to results, the whole process takes less than 30 minutes using the button below:
