Getting Data In

Referencing Multiple hosts in Props.conf

Explorer

Hi,

Does anyone know if it's possible to create a single props.conf stanza that looks for multiple hosts? I've checked the props.conf spec and example files and had a look around Splunk answers but can't seem to find anything about it, although it seems as though it's possible for multiple sources. What I want to do is something like this:

[host::(192.168.2.52)|(192.168.69.15)|(winxp01)]

TRANSFORMS-null = transform-to-null

This would then reference the following stanza in transforms.conf:

[transform-to-null]

REGEX = .

DEST_KEY = queue

FORMAT = nullQueue

Which would of course send all of the events to the nullQueue, has anyone managed to achieve this?

Thanks,
Matt

Super Champion

Yes, it can be done. According to the props.conf documentation it can be a single host, or a host matching pattern. Generally, when they say 'matching pattern' they mean regex, so in your case it would be something like this:

[host::(192\.168\.2\.52|192\.168\.69\.15|winxp01)]

But, I've never tried it.

Super Champion

I'm going to venture a guess based on the docs that the period is not one of the available regex type operators, so that means they don't need to be escaped. Did you try this:
[host::(192.168.2.52|192.168.69.15|winxp01)]

0 Karma

Communicator

They don't need to be escaped. Splunk props.conf document should show some examples.

0 Karma

Path Finder

can anyone help with this,  i cant find any clear examples in the props.conf docs,  and i cant get this to work in props.conf  (ive tried many different variations and many escaping techniques ).

[source::(udp:8002|udp:8009|udp:8012)]

EXTRACT-blah......

any of them alone, ofcouse work as intended (ie [source::udp:8002] works)

[source::udp:80**] works but covers too many

thanks

Tags (1)
0 Karma

Super Champion

I found this post where one of the answers explains that you can use some "regex type operators" including pipe as or bounded by ().
http://answers.splunk.com/answers/24274/can-you-have-a-wildcard-in-a-propsconf-stanza-header-when-ma...

I also found more information in the props.conf doc under
**[<spec>] stanza patterns:**

http://docs.splunk.com/Documentation/Splunk/6.0.2/Admin/Propsconf

0 Karma

Explorer

Q quick brush up on regex confirms that, still can't seem to get it working though 😞 it has no problem filtering data for two individual hosts but once I make the host this|that or doesn't like it, I'll keep trying some things.

0 Karma

Ultra Champion

No I believe that lukejadamec is right. If it is regex based, it should most likely be (this|that).

0 Karma

Explorer

Thanks for your reply lukejadamec. I've already tried things like this but don't seem to have gotten anywhere. At least I now know it's based on regex which I'd forgotten originally! Also I'm not entirely sure which stanza would work anyway, since from my experience with regex I think it would need to be (this)|(that) as oppose to (this|that).

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!