Can sourcetype control be applied in props.conf?

rrussellstscied · ‎12-16-2016

Hopefully a simple question.

I can see that in props.conf you can use source, [source::.../dads_logs/*.log], to control if it's applied but can you use sourcetype:...nameofsourcetype?

Thanks

somesoni2 · ‎12-16-2016

The ... was specific operator to recursively look in a path. Sourcetype is not path so it won't make sense to use ... there. If you're looking to use wildcard in sourcetype name, try something like this

In props.conf

[(?:::){0}*nameofsourcetype*]

rrussellstscied · ‎12-16-2016

Thanks for the info. I'm not looking for a wildcard but more could I replace in the props file, source:....pathtolog, with [sourcetype:dads_logs], and then the regex, date, and extractions would apply to all logs that come in with a sourcetype of dads_logs?

Sorry - I'm getting dumped into the Splunk world and having some difficulties.

Thanks

somesoni2 · ‎12-16-2016

If all the data that belongs to [source::.../dads_logs/*.log] (within Splunk searchindex=* source=*/dads_logs/*.log) a single sourcetype and that sourcetype is only associated with aforementioned source, then you can replace [source::.../dads_logs/*.log] with [yoursourcetype]'

Can sourcetype control be applied in props.conf?

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

Can sourcetype control be applied in props.conf?

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES