Hi,
Does anyone know if it's possible to create a single props.conf stanza that looks for multiple hosts? I've checked the props.conf spec and example files and had a look around Splunk answers but can't seem to find anything about it, although it seems as though it's possible for multiple sources. What I want to do is something like this:
[host::(192.168.2.52)|(192.168.69.15)|(winxp01)]
TRANSFORMS-null = transform-to-null
This would then reference the following stanza in transforms.conf:
[transform-to-null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
Which would of course send all of the events to the nullQueue, has anyone managed to achieve this?
Thanks,
Matt
This worked for me:
[host::(10.3.4.2|10.12.3.4|IP3|IP4|and_so_on)]
Yes, it can be done. According to the props.conf documentation it can be a single host, or a host matching pattern. Generally, when they say 'matching pattern' they mean regex, so in your case it would be something like this:
[host::(192\.168\.2\.52|192\.168\.69\.15|winxp01)]
But, I've never tried it.
I'm going to venture a guess based on the docs that the period is not one of the available regex type operators, so that means they don't need to be escaped. Did you try this:
[host::(192.168.2.52|192.168.69.15|winxp01)]
They don't need to be escaped. Splunk props.conf document should show some examples.
can anyone help with this, i cant find any clear examples in the props.conf docs, and i cant get this to work in props.conf (ive tried many different variations and many escaping techniques ).
[source::(udp:8002|udp:8009|udp:8012)]
EXTRACT-blah......
any of them alone, ofcouse work as intended (ie [source::udp:8002] works)
[source::udp:80**] works but covers too many
thanks
I found this post where one of the answers explains that you can use some "regex type operators" including pipe as or bounded by ().
http://answers.splunk.com/answers/24274/can-you-have-a-wildcard-in-a-propsconf-stanza-header-when-ma...
I also found more information in the props.conf doc under
**[<spec>] stanza patterns:**
http://docs.splunk.com/Documentation/Splunk/6.0.2/Admin/Propsconf
Q quick brush up on regex confirms that, still can't seem to get it working though 😞 it has no problem filtering data for two individual hosts but once I make the host this|that or doesn't like it, I'll keep trying some things.
No I believe that lukejadamec is right. If it is regex based, it should most likely be (this|that).
Thanks for your reply lukejadamec. I've already tried things like this but don't seem to have gotten anywhere. At least I now know it's based on regex which I'd forgotten originally! Also I'm not entirely sure which stanza would work anyway, since from my experience with regex I think it would need to be (this)|(that) as oppose to (this|that).