Getting Data In

Why is my input not getting parsed if I use wildcards?

ankithreddy777
Contributor

Hi

I have a input with sourcetype [eventlog].

In props.conf If I use sourcetype as below to define settings it is working.
[eventlog]
...

But if I use wildcards as below my input is not getting parsed according to the configurations defined under below stanza.
[eventlog*]
...
...

May I know if there is any reason?

0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi ankithreddy777,

there is no official and supported wildcard matching on sourcetype, see the docs http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf

**[source::<source>] and [host::<host>] stanza match language:**

Match expressions must match the entire name, not just a substring. If you
are familiar with regular expressions, match expressions are based on a full
implementation of PCRE with the translation of ..., * and . Thus . matches a
period, * matches non-directory separators, and ... matches any number of
any characters.

it only mentions source or host, but not sourcetype.

Hope this helps ...

cheers, Mus

View solution in original post

ddrillic
Ultra Champion

@ankithreddy777 - keep please in mind that even though it's not officially supported, it works well for us. Something like -

[(?::){0}*<sourcetype tail name>]

Please refer to the following link in which @somesoni2 explained it - How can we apply TRUNCATE across many sourcetypes?

0 Karma

MuS
SplunkTrust
SplunkTrust

Add see here https://answers.splunk.com/answers/8505/is-it-possible-to-use-wildcards-in-sourcetype-props-conf-sta... @jrodman 's comment from 2012 why you should not rely on it ...

0 Karma

ankithreddy777
Contributor

Hi @ddrillic - Using wildcards in sourcetype like above follow stanza precedence in ASCII priority?.

0 Karma

ddrillic
Ultra Champion

I see @MuS - so, why isn't it a feature after years where people keep asking and needing this feature, that makes clusters of sourcetypes handled uniformly?

0 Karma

MuS
SplunkTrust
SplunkTrust

I don't know ¯\_(ツ)_/¯ you can log an enhancement request for it if you like 😉

0 Karma

ddrillic
Ultra Champion

I will sure do that @MuS - I love this hidden powerful capability.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi ankithreddy777,

there is no official and supported wildcard matching on sourcetype, see the docs http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf

**[source::<source>] and [host::<host>] stanza match language:**

Match expressions must match the entire name, not just a substring. If you
are familiar with regular expressions, match expressions are based on a full
implementation of PCRE with the translation of ..., * and . Thus . matches a
period, * matches non-directory separators, and ... matches any number of
any characters.

it only mentions source or host, but not sourcetype.

Hope this helps ...

cheers, Mus

View solution in original post

ankithreddy777
Contributor

Thank you MuS.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!