I'm looking to match and filter upcoming events of all hosts. Under SPLUNK_HOME\etc\apps\search\local\props.conf, I tried the following, but I'm not getting the result that I want.
[host::.]
[host::.*]
[host::^.*]
[host::*]
I troubleshot my regular expression at regex101.com and it is matching correctly.
Any ideas?
Thanks!
Hi Yaichael,
I usually use sourcetype in props.conf, because I found many problems using host or source.
Every way you have to define your stanzas by sourcetype in your props.conf.
So in each props.conf stanza you can add
TRANSFORMS-sourcetype=set_nullqueue,set_sourcetype
and in transforms.conf
[set_nullqueue]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue
[set_sourcetype]
REGEX=your_regex
DEST_KEY = queue
FORMAT = indexQueue
In this way you discard all and index events that match your_regex.
if you want to index all and discard the events that match your regex, you have to use
props.conf
TRANSFORMS-sourcetype=set_sourcetype,set_nullqueue
transforms.conf
[set_nullqueue]
REGEX=your_regex
DEST_KEY=queue
FORMAT=nullQueue
[set_sourcetype]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue
Bye.
Giuseppe
Hi Yaichael,
I usually use sourcetype in props.conf, because I found many problems using host or source.
Every way you have to define your stanzas by sourcetype in your props.conf.
So in each props.conf stanza you can add
TRANSFORMS-sourcetype=set_nullqueue,set_sourcetype
and in transforms.conf
[set_nullqueue]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue
[set_sourcetype]
REGEX=your_regex
DEST_KEY = queue
FORMAT = indexQueue
In this way you discard all and index events that match your_regex.
if you want to index all and discard the events that match your regex, you have to use
props.conf
TRANSFORMS-sourcetype=set_sourcetype,set_nullqueue
transforms.conf
[set_nullqueue]
REGEX=your_regex
DEST_KEY=queue
FORMAT=nullQueue
[set_sourcetype]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue
Bye.
Giuseppe
Thanks, cusello!