Does anyone know if it's possible to create a single props.conf stanza that looks for multiple hosts? I've checked the props.conf spec and example files and had a look around Splunk answers but can't seem to find anything about it, although it seems as though it's possible for multiple sources. What I want to do is something like this:
TRANSFORMS-null = transform-to-null
This would then reference the following stanza in transforms.conf:
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
Which would of course send all of the events to the nullQueue, has anyone managed to achieve this?
Yes, it can be done. According to the props.conf documentation it can be a single host, or a host matching pattern. Generally, when they say 'matching pattern' they mean regex, so in your case it would be something like this:
But, I've never tried it.
I'm going to venture a guess based on the docs that the period is not one of the available regex type operators, so that means they don't need to be escaped. Did you try this:
can anyone help with this, i cant find any clear examples in the props.conf docs, and i cant get this to work in props.conf (ive tried many different variations and many escaping techniques ).
any of them alone, ofcouse work as intended (ie [source::udp:8002] works)
[source::udp:80**] works but covers too many
I found this post where one of the answers explains that you can use some "regex type operators" including pipe as or bounded by ().
I also found more information in the props.conf doc under
**[<spec>] stanza patterns:**
Q quick brush up on regex confirms that, still can't seem to get it working though 😞 it has no problem filtering data for two individual hosts but once I make the host this|that or doesn't like it, I'll keep trying some things.
Thanks for your reply lukejadamec. I've already tried things like this but don't seem to have gotten anywhere. At least I now know it's based on regex which I'd forgotten originally! Also I'm not entirely sure which stanza would work anyway, since from my experience with regex I think it would need to be (this)|(that) as oppose to (this|that).