Solved: Re: Can multiple wildcards be used in host:: stanz...

edwardrose · ‎02-19-2020

Is it possible to use multiple wildcards in the host:: stanza in the props.conf file?

[host::svr-*-blah-*]
TRANSFORMS-remove = remove_stuff

So we are trying to remove stuff from multiple hosts in different geographical locations that have very similar names

svr-us-blah-01
svr-us-blah-02
svr-us-blah-03
svr-eur-blah-01
svr-eur-blah-02
svr-eur-blah-03
svr-pac-blah-01
svr-pac-blah-02
svr-pac-blah-03

Each host will collect very similar logs and then forward the logs to Splunk, but we want to dump the noise, so I was hoping that I could just use the [host::svr--blah-] stanza to apply the same props/transforms to each host for dumping the noise.

Will that work?

thanks
ed

manjunathmeti · ‎02-19-2020

Yes, host matching patterns can be used for in [host::]. All the attributes under this stanza are applied to the data from matching hosts. You need to make sure whatever field extractions and data transformation you write under this stanza works for logs coming from all the hosts.

View solution in original post

manjunathmeti · ‎02-19-2020

Yes, host matching patterns can be used for in [host::]. All the attributes under this stanza are applied to the data from matching hosts. You need to make sure whatever field extractions and data transformation you write under this stanza works for logs coming from all the hosts.

Can multiple wildcards be used in host:: stanza in props.conf?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms