Re: Referencing Multiple hosts in Props.conf

mattsutton · ‎04-11-2014

Hi,

Does anyone know if it's possible to create a single props.conf stanza that looks for multiple hosts? I've checked the props.conf spec and example files and had a look around Splunk answers but can't seem to find anything about it, although it seems as though it's possible for multiple sources. What I want to do is something like this:

[host::(192.168.2.52)|(192.168.69.15)|(winxp01)]

TRANSFORMS-null = transform-to-null

This would then reference the following stanza in transforms.conf:

[transform-to-null]

REGEX = .

DEST_KEY = queue

FORMAT = nullQueue

Which would of course send all of the events to the nullQueue, has anyone managed to achieve this?

Thanks,
Matt

behlkush · ‎07-27-2021

This worked for me:

[host::(10.3.4.2|10.12.3.4|IP3|IP4|and_so_on)]

lukejadamec · ‎04-11-2014

Yes, it can be done. According to the props.conf documentation it can be a single host, or a host matching pattern. Generally, when they say 'matching pattern' they mean regex, so in your case it would be something like this:

[host::(192\.168\.2\.52|192\.168\.69\.15|winxp01)]

But, I've never tried it.

lukejadamec · ‎04-11-2014

I'm going to venture a guess based on the docs that the period is not one of the available regex type operators, so that means they don't need to be escaped. Did you try this:
[host::(192.168.2.52|192.168.69.15|winxp01)]

anwarmian · ‎02-17-2020

They don't need to be escaped. Splunk props.conf document should show some examples.

spunk311z · ‎07-17-2020

can anyone help with this, i cant find any clear examples in the props.conf docs, and i cant get this to work in props.conf (ive tried many different variations and many escaping techniques ).

[source::(udp:8002|udp:8009|udp:8012)]

EXTRACT-blah......

any of them alone, ofcouse work as intended (ie [source::udp:8002] works)

[source::udp:80**] works but covers too many

thanks

lukejadamec · ‎04-11-2014

I found this post where one of the answers explains that you can use some "regex type operators" including pipe as or bounded by ().
http://answers.splunk.com/answers/24274/can-you-have-a-wildcard-in-a-propsconf-stanza-header-when-ma...

I also found more information in the props.conf doc under
**[<spec>] stanza patterns:**

http://docs.splunk.com/Documentation/Splunk/6.0.2/Admin/Propsconf

mattsutton · ‎04-11-2014

Q quick brush up on regex confirms that, still can't seem to get it working though 😞 it has no problem filtering data for two individual hosts but once I make the host this|that or doesn't like it, I'll keep trying some things.

kristian_kolb · ‎04-11-2014

No I believe that lukejadamec is right. If it is regex based, it should most likely be (this|that).

mattsutton · ‎04-11-2014

Thanks for your reply lukejadamec. I've already tried things like this but don't seem to have gotten anywhere. At least I now know it's based on regex which I'd forgotten originally! Also I'm not entirely sure which stanza would work anyway, since from my experience with regex I think it would need to be (this)|(that) as oppose to (this|that).

Referencing Multiple hosts in Props.conf

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk