Getting Data In
Highlighted

How can I use wildcards (*) for the source stanza in props.conf?

New Member

Hi,

In my live splunk environment, I have a syslog receiver on a Linux machine putting all incoming logs in /opt/splunk/var/log/syslog/
In the syslog folder, sub folders are created for each syslog source and in that sub folder, each source's log files are written down.
Example: /opt/splunk/var/log/syslog/example123-lx0001-10.10.10.10/example.log
I then pull those log files into Splunk via an agent/UF.

That syslog receiver (that's actually several machines) receives logs from several hundreds of hosts and what I want to do is to apply a props configuration on every source that includes lx001 in the host name of the syslog source.

What I've tried, but not gotten to work:

[source::/opt/splunk/var/log/syslog/*lx0001*]

I would be so glad if someone could lead me in the right direction.

0 Karma
Highlighted

Re: How can I use wildcards (*) for the source stanza in props.conf?

SplunkTrust
SplunkTrust

How about this

[source::/opt/splunk/var/log/syslog/*lx0001*] 
0 Karma
Highlighted

Re: How can I use wildcards (*) for the source stanza in props.conf?

New Member

I corrected my post since it in fact was possible to write wildcards in the text. Unfortunately that stanza is what I've tried and not got to work.

0 Karma
Highlighted

Re: How can I use wildcards (*) for the source stanza in props.conf?

Motivator
0 Karma
Highlighted

Re: How can I use wildcards (*) for the source stanza in props.conf?

Legend

[Old broken answer has been edited, so the following may not match the comments below]

In props.conf, you can specify the source using a regular expression (as well as with the "normal" wildcards). Therefore, this should work.

[source::/opt/splunk/var/log/syslog/.*?lx0001.*?/.*]

The above stanza should match exactly what you want. But it would be even better if you replaced the .*? with more precise regex matching; this is pretty open-ended.

When you have time (it is long), read the header of the props.conf.spec file carefully and you will find a wealth of good information.

0 Karma
Highlighted

Re: How can I use wildcards (*) for the source stanza in props.conf?

New Member

Unfortunately, neither work.

I also cannot find any official info that you're able to use whitelist in props.conf

0 Karma
Highlighted

Re: How can I use wildcards (*) for the source stanza in props.conf?

Legend

Oh - shoot me now! My head was in inputs.conf while I was clearly working with props.conf

Above answer is completely revised. Thanks!

0 Karma
Highlighted

Re: How can I use wildcards (*) for the source stanza in props.conf?

New Member

Yeah that regex checks out on my different sources testing it outside Splunk but it doesn't work in my props.conf. Are you really able to write regex simply like that in the source stanza?

Thanks for your time.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.