topic props.conf - Issue with [<spec>] regex-like syntax in Getting Data In

props.conf - Issue with [] regex-like syntax

SplunkMan96 — Fri, 14 Jul 2023 19:46:43 GMT

I'm trying to specify a single stanza in props.conf, with FIELDALIAS and EVAL expressions, for two different sourcetypes, "Snare:Security" and "XmlWinEventLog". However, when I use an OR pipe to specify both sourcetypes in the [<spec>], like so:

[Snare:Security|XmlWinEventLog]

neither sourcetype has the rules applied to it. Inspecting "source types" in my search head shows that the rules have been applied to the sourcetype "Snare:Security|XmlWinEventLog", instead of both the individual sourcetypes.

Am I not using the pipe correctly? Per the splunk documentation:

**[<spec>] stanza patterns:**

When setting a [<spec>] stanza, you can use the following regex-type syntax:
... recurses through directories until the match is met
or equivalently, matches any number of characters.
* matches anything but the path separator 0 or more times.
The path separator is '/' on unix, or '\' on Windows.
Intended to match a partial or complete directory or filename.
| is equivalent to 'or'
( ) are used to limit scope of |.
\\ = matches a literal backslash '\'.

It seems like it should work. I've tried placing parenthesis around the whole expression and around each individual sourcetype.

Re: props.conf - Issue with [] regex-like syntax

richgalloway — Fri, 14 Jul 2023 19:54:59 GMT

If two sourcetypes use the exact same settings then perhaps they should be a single sourcetype. Also, copying lines to make another sourcetype takes less effort than you've expended so far. 🙂

I've never seen anyone use a regular expression in a props.conf stanza, but it does work in inputs.conf so should work in props.conf. The catch is the regex engine is only invoked when a wildcard is detected. I believe that is not documented.

Re: props.conf - Issue with [] regex-like syntax

PickleRick — Fri, 14 Jul 2023 20:12:24 GMT

Just look inside Splunk_TA_windows 😉

[(?::){0}WinEventLog:*]
TRANSFORMS-Fixup = ta-windows-fix-classic-source,ta-windows-fix-sourcetype

[(?::){0}XmlWinEventLog:*]
TRANSFORMS-XmlFixup = ta-windows-fix-xml-source,ta-windows-fix-sourcetype

Re: props.conf - Issue with [] regex-like syntax

SplunkMan96 — Fri, 14 Jul 2023 20:23:56 GMT

This works, thanks! Using [(?::){0}Snare:Security|XmlWinEventLog]as the stanza specifier applies the rules to both sourcetypes.

In response to the original reply, I would combine the sourcetypes, but they do have meaningfully different formats. As you can see, some come direct from Windows machines in XML format and some are forwarded over syslog using Snare, and have been converted to TSV format. I've translated fields into CIM format for each case, but the raw text still differs, so I feel the sourcetype should as well. I could, of course, copy the same text to two stanzas, but in my opinion that's pretty messy.

I tried adding wildcards to the sourcetype, but it doesn't work as intended. This isn't intended to be actual regex, but the regex-like syntax encompassing those four operators (..., *, |, ()) specified in Splunk's props.conf definition.