v1.0.1
Splunk® props.conf settings
Many Solutions, One Goal. indexing pipeline order
CHARSET
NO_BINARY_CHECK
CHECK_METHOD
CHECK_FOR_HEADER (deprecated)
initCrcLength
PREFIX_SOURCETYPE
sourcetype
INDEXED_EXTRACTIONS
EVENT_BREAKER_ENABLED
Input force_local_processing
CHARSET (checked)
LINE_BREAKER
TRUNCATE
METRICS_PROTOCOL
STATSD-DIM-TRANSFORMS (if metrics)
HEADER_MODE
Parsing Queue
Application Order
SHOULD_LINEMERGE
BREAK_ONLY_BEFORE
BREAK_ONLY_BEFORE_DATE Applied together
MUST_BREAK_AFTER
MAX_EVENTS
TIME_PREFIX
TIME_FORMAT
MAX_TIMESTAMP_LOOKAHEAD
DATETIME_CONFIG Applied together
MAX_DAYS_AGO
Aggregation Queue MAX_DAYS_HENCE
TZ
SEDCMD*
TRANSFORMS*
ANNOTATE_PUNCT**
METRIC-SCHEMA-TRANSFORMS
Typing Queue * These items are applied according to
props.conf precedence rules
** Needs to be applied to the rewritten
sourcetype from a TRANSFORMS
SEGMENTATION
Note: Data submitted to Splunk using the collector/event endpoint
Indexing Queue do not use this pipeline. Structured data (INDEXED_EXTRACTIONS) use
a similar, but not exactly the same pipeline.
Splunk is a registered trademark of Splunk, Inc.
Provided by Aplura, LLC. Splunk Consulting This work is licensed under the Creative Commons
and Application Development Services. sales@aplura.com https://www.aplura.com Attribution-ShareAlike 4.0 International License.