Hello all,
Hoping someone could help clarify and hopefully help figure out an issue I've run into. I created an automatic lookup table to add some details to my event data. I created a new props.conf and added a sourcetype within the props.conf. I configured the lookup file in global context and deployed the props.conf under /app/app_name/local directory. Now for some reason, the sourcetype I added in the props.conf file which is deployed under /app/app_Name/local is taking precedence over another props.conf that I have out there with the same sourcetype which handles a lot of normalization. Question is, why is this happening and what is the best workaround or way to tackle this problem. Thanks all.
For example:
Props.conf for automatic lookup
[distributor:remote]
LOOKUP-table = logs_per_day host OUTPUTNEW average_logs AS logs_per_day
Global master Props.conf **This props.conf is no longer being loaded since the one above was deployed**
[distributor:remote]
SEDCMD-moveheader = s/^\<\?xml[^\>]*\>\n*//g
EXTRACT-extract_ip = (?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
bunch of other things.
↧