Props.conf wild card help

SS1 · ‎09-20-2021

Hi,

I have the below source, values in Red will keep changing

source="/Application/logs/b80be40606aa7860f7de0c7ffa6b9d740581ec6035bc450ff5dfa3/apply-service/example.google.local:9818/Application-services/applyy-service:build-000/apply-service-464-xmp/system-out-dev.stdout"

in props.conf i tried below definitions but it is unable to pickup, how can i use wild cards to pick the correct source?

1)

[source::/Application*]

TRANSFORMS-anonymize = address-anonymizer

2)

[source::/Application/logs/*/apply-service/*/Application-services/*/*/system-out-dev.stdout]

TRANSFORMS-anonymize = address-anonymizer

SS1 · ‎09-21-2021

any thoughts @gcusello @ITWhisperer

isoutamo · ‎09-22-2021

Hi

As said by @danielcj 2nd option should be ok.

Are you sure that you haven't several matching spec definition for that source on props.conf? If there are then splunk selects the 1st in ASCII order.

You haven't any full Splunk Enterprise instances before indexer (?) where you are using this props.conf?

One option is define own source type for this in UF's inputs.conf and then match this with it on indexer (or HF if you have those before indexer).

r. Ismo

SS1 · ‎09-21-2021

yes, Transforms.conf has address-anonymizer definition. Nope that wild card is not working

danielcj · ‎09-21-2021

Hello,

The second option of the use of wild cards is correct.

Are these events being indexed at splunk? If not, please verify if the inputs.conf file is configured correctly.

Also, as you are using the TRANSFORMS, do you have a transforms.conf file with the address-anonymizer definition?

Props.conf wild card help

heavy forwarder

host

props.conf

source

sourcetype

transforms.conf

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...