Databases Reference
In-Depth Information
[source::*.log]
BREAK_ONLY_BEFORE_DATE = true
[source::*/access.log]
BREAK_ONLY_BEFORE_DATE = false
Even though
[source::*.log]
and
[source::*/access.log]
both match
a file called
access.log
, they will not merge in the configuration because
the stanza names do not match exactly. This logic is covered later under
An overview of Splunk .conf files
|
props.conf
|
Stanza types
.
3.
We then merge
$SPLUNK_HOME/etc/apps/d/local/props.conf
:
[web_access]
MAX_TIMESTAMP_LOOKAHEAD = 30
TIME_PREFIX = ^\[
TIME_FORMAT = %Y-%m-%d $H:%M:%S
TZ = UTC
[source::*.log]
BREAK_ONLY_BEFORE_DATE = true
[source::*/access.log]
BREAK_ONLY_BEFORE_DATE = false
[security_log]
EXTRACT-<name> = \[(?P<user>.*?)\]
4. We finally merge the globally overriding
$SPLUNK_HOME/etc/system/
local/props.conf
file:
[default]
BREAK_ONLY_BEFORE_DATE = false
[web_access]
MAX_TIMESTAMP_LOOKAHEAD = 25
TIME_PREFIX = ^\[
TIME_FORMAT = %Y-%m-%d $H:%M:%S
TZ = CST
BREAK_ONLY_BEFORE_DATE = false
[source::*.log]
BREAK_ONLY_BEFORE_DATE = true
[source::*/access.log]
Search WWH ::
Custom Search