Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I put that source in props.conf without listing each one separately?

leejones4
Explorer
‎07-08-2022 11:01 AM

We are trying to filter out events from a Syslog server that is ingesting data for a number of sources but the one we are trying to filter is from our Meraki devices.  Each Meraki is considered a source and the sourcetype is meraki.  This is a sample of the events coming into Splunk:

2022-07-08 07:14:51.427 xxx.xxx.xxx.xxx 1 Location_XXX flows src=xxx.xxx.0.1 dst=8.8.8.8 mac=70:D3:79:XX:XX:XX protocol=icmp type=8 pattern: allow icmp
host = xxx.xx.0.2source = /syslog0/syslog/meraki/xxx.xx.0.2/messages.log sourcetype = meraki

There are more than 100 sources all using the format:  /syslog0/syslog/meraki/<IP Address>/messages.log

How can I put that source in props.conf without listing each one separately? 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

danielcj
Communicator
‎07-08-2022 11:55 AM

Yes, you can use the sourcetype on the props.conf instead of the sources. 
You can check it on the docs: 

https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/Propsconf#GLOBAL_SETTINGS

[<spec>]
* This stanza enables properties for a given <spec>.

<spec> can be:
1. <sourcetype>, the source type of an event.

 

View solution in original post

Reply
Solved! Jump to solution

danielcj
Communicator
‎07-08-2022 11:41 AM

Hello @leejones4 ,

You could use the sourcetype definition instead of the sources on the props.conf file

For example:

props.conf file

[meraki]
<YOUR_DEFINITIONS_HERE>
Reply
Solved! Jump to solution

leejones4
Explorer
‎07-08-2022 11:53 AM

That's awesome.  So I don't need to put the source but can use the sourcetype instead?

0 Karma
Reply
Solved! Jump to solution
Solution

danielcj
Communicator
‎07-08-2022 11:55 AM

Yes, you can use the sourcetype on the props.conf instead of the sources. 
You can check it on the docs: 

https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/Propsconf#GLOBAL_SETTINGS

[<spec>]
* This stanza enables properties for a given <spec>.

<spec> can be:
1. <sourcetype>, the source type of an event.

 

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...