In my live splunk environment, I have a syslog receiver on a Linux machine putting all incoming logs in
In the syslog folder, sub folders are created for each syslog source and in that sub folder, each source's log files are written down.
I then pull those log files into Splunk via an agent/UF.
That syslog receiver (that's actually several machines) receives logs from several hundreds of hosts and what I want to do is to apply a props configuration on every source that includes
lx001 in the host name of the syslog source.
What I've tried, but not gotten to work:
I would be so glad if someone could lead me in the right direction.
I corrected my post since it in fact was possible to write wildcards in the text. Unfortunately that stanza is what I've tried and not got to work.
[Old broken answer has been edited, so the following may not match the comments below]
In props.conf, you can specify the source using a regular expression (as well as with the "normal" wildcards). Therefore, this should work.
The above stanza should match exactly what you want. But it would be even better if you replaced the
.*? with more precise regex matching; this is pretty open-ended.
When you have time (it is long), read the header of the props.conf.spec file carefully and you will find a wealth of good information.
Unfortunately, neither work.
I also cannot find any official info that you're able to use whitelist in props.conf
Oh - shoot me now! My head was in
inputs.conf while I was clearly working with
Above answer is completely revised. Thanks!
Yeah that regex checks out on my different sources testing it outside Splunk but it doesn't work in my props.conf. Are you really able to write regex simply like that in the source stanza?
Thanks for your time.