- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How can I use wildcards (*) for the source stanza ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I use wildcards (*) for the source stanza in props.conf?
Hi,
In my live splunk environment, I have a syslog receiver on a Linux machine putting all incoming logs in /opt/splunk/var/log/syslog/
In the syslog folder, sub folders are created for each syslog source and in that sub folder, each source's log files are written down.
Example: /opt/splunk/var/log/syslog/example123-lx0001-10.10.10.10/example.log
I then pull those log files into Splunk via an agent/UF.
That syslog receiver (that's actually several machines) receives logs from several hundreds of hosts and what I want to do is to apply a props configuration on every source that includes lx001 in the host name of the syslog source.
What I've tried, but not gotten to work:
[source::/opt/splunk/var/log/syslog/*lx0001*]
I would be so glad if someone could lead me in the right direction.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[Old broken answer has been edited, so the following may not match the comments below]
In props.conf, you can specify the source using a regular expression (as well as with the "normal" wildcards). Therefore, this should work.
[source::/opt/splunk/var/log/syslog/.*?lx0001.*?/.*]
The above stanza should match exactly what you want. But it would be even better if you replaced the .*? with more precise regex matching; this is pretty open-ended.
When you have time (it is long), read the header of the props.conf.spec file carefully and you will find a wealth of good information.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah that regex checks out on my different sources testing it outside Splunk but it doesn't work in my props.conf. Are you really able to write regex simply like that in the source stanza?
Thanks for your time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately, neither work.
I also cannot find any official info that you're able to use whitelist in props.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh - shoot me now! My head was in inputs.conf while I was clearly working with props.conf
Above answer is completely revised. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about this
[source::/opt/splunk/var/log/syslog/*lx0001*]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I corrected my post since it in fact was possible to write wildcards in the text. Unfortunately that stanza is what I've tried and not got to work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
New in Observability Cloud - Explicit Bucket Histograms
