Getting Data In

How can I use wildcards (*) for the source stanza in props.conf?

New Member

Hi,

In my live splunk environment, I have a syslog receiver on a Linux machine putting all incoming logs in /opt/splunk/var/log/syslog/
In the syslog folder, sub folders are created for each syslog source and in that sub folder, each source's log files are written down.
Example: /opt/splunk/var/log/syslog/example123-lx0001-10.10.10.10/example.log
I then pull those log files into Splunk via an agent/UF.

That syslog receiver (that's actually several machines) receives logs from several hundreds of hosts and what I want to do is to apply a props configuration on every source that includes lx001 in the host name of the syslog source.

What I've tried, but not gotten to work:

[source::/opt/splunk/var/log/syslog/*lx0001*]

I would be so glad if someone could lead me in the right direction.

0 Karma

Legend

[Old broken answer has been edited, so the following may not match the comments below]

In props.conf, you can specify the source using a regular expression (as well as with the "normal" wildcards). Therefore, this should work.

[source::/opt/splunk/var/log/syslog/.*?lx0001.*?/.*]

The above stanza should match exactly what you want. But it would be even better if you replaced the .*? with more precise regex matching; this is pretty open-ended.

When you have time (it is long), read the header of the props.conf.spec file carefully and you will find a wealth of good information.

0 Karma

New Member

Yeah that regex checks out on my different sources testing it outside Splunk but it doesn't work in my props.conf. Are you really able to write regex simply like that in the source stanza?

Thanks for your time.

0 Karma

New Member

Unfortunately, neither work.

I also cannot find any official info that you're able to use whitelist in props.conf

0 Karma

Legend

Oh - shoot me now! My head was in inputs.conf while I was clearly working with props.conf

Above answer is completely revised. Thanks!

0 Karma

Revered Legend

How about this

[source::/opt/splunk/var/log/syslog/*lx0001*] 
0 Karma

New Member

I corrected my post since it in fact was possible to write wildcards in the text. Unfortunately that stanza is what I've tried and not got to work.

0 Karma

Motivator
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!