Archive
Highlighted

How to match all hosts in props.conf?

Communicator

I'm looking to match and filter upcoming events of all hosts. Under SPLUNK_HOME\etc\apps\search\local\props.conf, I tried the following, but I'm not getting the result that I want.

[host::.]
[host::.*]
[host::^.*]
[host::*]

I troubleshot my regular expression at regex101.com and it is matching correctly.

Any ideas?

Thanks!

Tags (1)
0 Karma
Highlighted

Re: How to match all hosts in props.conf?

Legend

Hi Yaichael,
I usually use sourcetype in props.conf, because I found many problems using host or source.
Every way you have to define your stanzas by sourcetype in your props.conf.
So in each props.conf stanza you can add

TRANSFORMS-sourcetype=set_nullqueue,set_sourcetype

and in transforms.conf

[set_nullqueue]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue

[set_sourcetype]
REGEX=your_regex
DEST_KEY = queue
FORMAT = indexQueue

In this way you discard all and index events that match your_regex.
if you want to index all and discard the events that match your regex, you have to use
props.conf

TRANSFORMS-sourcetype=set_sourcetype,set_nullqueue

transforms.conf

[set_nullqueue]
    REGEX=your_regex
    DEST_KEY=queue
    FORMAT=nullQueue

    [set_sourcetype]
    REGEX=.
    DEST_KEY = queue
    FORMAT = indexQueue

Bye.
Giuseppe

View solution in original post

0 Karma
Highlighted

Re: How to match all hosts in props.conf?

Communicator

Thanks, cusello!

0 Karma