Getting Data In

Referencing Multiple hosts in Props.conf

mattsutton
Explorer

Hi,

Does anyone know if it's possible to create a single props.conf stanza that looks for multiple hosts? I've checked the props.conf spec and example files and had a look around Splunk answers but can't seem to find anything about it, although it seems as though it's possible for multiple sources. What I want to do is something like this:

[host::(192.168.2.52)|(192.168.69.15)|(winxp01)]

TRANSFORMS-null = transform-to-null

This would then reference the following stanza in transforms.conf:

[transform-to-null]

REGEX = .

DEST_KEY = queue

FORMAT = nullQueue

Which would of course send all of the events to the nullQueue, has anyone managed to achieve this?

Thanks,
Matt

behlkush
Path Finder

This worked for me:

[host::(10.3.4.2|10.12.3.4|IP3|IP4|and_so_on)]

0 Karma

lukejadamec
Super Champion

Yes, it can be done. According to the props.conf documentation it can be a single host, or a host matching pattern. Generally, when they say 'matching pattern' they mean regex, so in your case it would be something like this:

[host::(192\.168\.2\.52|192\.168\.69\.15|winxp01)]

But, I've never tried it.

lukejadamec
Super Champion

I'm going to venture a guess based on the docs that the period is not one of the available regex type operators, so that means they don't need to be escaped. Did you try this:
[host::(192.168.2.52|192.168.69.15|winxp01)]

anwarmian
Communicator

They don't need to be escaped. Splunk props.conf document should show some examples.

0 Karma

spunk311z
Path Finder

can anyone help with this,  i cant find any clear examples in the props.conf docs,  and i cant get this to work in props.conf  (ive tried many different variations and many escaping techniques ).

[source::(udp:8002|udp:8009|udp:8012)]

EXTRACT-blah......

any of them alone, ofcouse work as intended (ie [source::udp:8002] works)

[source::udp:80**] works but covers too many

thanks

Tags (1)
0 Karma

lukejadamec
Super Champion

I found this post where one of the answers explains that you can use some "regex type operators" including pipe as or bounded by ().
http://answers.splunk.com/answers/24274/can-you-have-a-wildcard-in-a-propsconf-stanza-header-when-ma...

I also found more information in the props.conf doc under
**[<spec>] stanza patterns:**

http://docs.splunk.com/Documentation/Splunk/6.0.2/Admin/Propsconf

0 Karma

mattsutton
Explorer

Q quick brush up on regex confirms that, still can't seem to get it working though 😞 it has no problem filtering data for two individual hosts but once I make the host this|that or doesn't like it, I'll keep trying some things.

0 Karma

kristian_kolb
Ultra Champion

No I believe that lukejadamec is right. If it is regex based, it should most likely be (this|that).

0 Karma

mattsutton
Explorer

Thanks for your reply lukejadamec. I've already tried things like this but don't seem to have gotten anywhere. At least I now know it's based on regex which I'd forgotten originally! Also I'm not entirely sure which stanza would work anyway, since from my experience with regex I think it would need to be (this)|(that) as oppose to (this|that).

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...