Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Does anyone know which props.conf keys work with wildcarded stanzas and which dont?

sideview
SplunkTrust
SplunkTrust
‎10-14-2013 06:10 PM

I'm having to use wildcarded stanzas for a lot of my sourcetypes in props.conf, and although I'd like to have the core config appear just once in the file, I'm finding that some keys actually do not function in wildcarded stanzas - these keys only work when present in a plain old [actualSourcetypeName] stanza.

So far I've found that CHECK_FOR_HEADER, SHOULD_LINEMERGE and pulldown_type really have to be in a plain old stanza and do not work in wildcarded props stanzas.

On the other extreme, all EVAL-*, LOOKUP-* and REPORT-* seem to work fine in the wildcarded stanzas.

I'm still testing my way through this and I have yet to test TIME_FORMAT, TIME_PREFIX, BREAK_ONLY_BEFORE_DATE MAX_TIMESTAMP_LOOKAHEAD and initCrcLength. It's feeling like these too will also not work in the wildcarded stanzas.

But does anyone know of a reference in the docs that comes out and says which attributes work this way and which don't?

Tags (1)
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎10-15-2013 07:14 AM

I'd agree with sowings, it seems as if Index time extractions are not wildcard-able. You can add TZ to the list that won't wildcard. I was trying to force some IIS TZ and it didn't work on iis-3, but it did on iis.

I don't know if this is mentioned in the Docs anywhere, I haven't seen it.

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎10-15-2013 06:54 AM

After a preliminary glance at the keys you name, it sounds like it might be the distinction between parse time and search time.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...