In my live splunk environment, I have a syslog receiver on a Linux machine putting all incoming logs in
In the syslog folder, sub folders are created for each syslog source and in that sub folder, each source's log files are written down.
I then pull those log files into Splunk via an agent/UF.
That syslog receiver (that's actually several machines) receives logs from several hundreds of hosts and what I want to do is to apply a props configuration on every source that includes
lx001 in the host name of the syslog source.
What I've tried, but not gotten to work:
I would be so glad if someone could lead me in the right direction.
[Old broken answer has been edited, so the following may not match the comments below]
In props.conf, you can specify the source using a regular expression (as well as with the "normal" wildcards). Therefore, this should work.
The above stanza should match exactly what you want. But it would be even better if you replaced the
.*? with more precise regex matching; this is pretty open-ended.
When you have time (it is long), read the header of the props.conf.spec file carefully and you will find a wealth of good information.
Yeah that regex checks out on my different sources testing it outside Splunk but it doesn't work in my props.conf. Are you really able to write regex simply like that in the source stanza?
Thanks for your time.