Getting Data In

Why is my input not getting parsed if I use wildcards?

ankithreddy777
Contributor

Hi

I have a input with sourcetype [eventlog].

In props.conf If I use sourcetype as below to define settings it is working.
[eventlog]
...

But if I use wildcards as below my input is not getting parsed according to the configurations defined under below stanza.
[eventlog*]
...
...

May I know if there is any reason?

0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi ankithreddy777,

there is no official and supported wildcard matching on sourcetype, see the docs http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf

**[source::<source>] and [host::<host>] stanza match language:**

Match expressions must match the entire name, not just a substring. If you
are familiar with regular expressions, match expressions are based on a full
implementation of PCRE with the translation of ..., * and . Thus . matches a
period, * matches non-directory separators, and ... matches any number of
any characters.

it only mentions source or host, but not sourcetype.

Hope this helps ...

cheers, Mus

View solution in original post

ddrillic
Ultra Champion

@ankithreddy777 - keep please in mind that even though it's not officially supported, it works well for us. Something like -

[(?::){0}*<sourcetype tail name>]

Please refer to the following link in which @somesoni2 explained it - How can we apply TRUNCATE across many sourcetypes?

0 Karma

MuS
SplunkTrust
SplunkTrust

Add see here https://answers.splunk.com/answers/8505/is-it-possible-to-use-wildcards-in-sourcetype-props-conf-sta... @jrodman 's comment from 2012 why you should not rely on it ...

0 Karma

ankithreddy777
Contributor

Hi @ddrillic - Using wildcards in sourcetype like above follow stanza precedence in ASCII priority?.

0 Karma

ddrillic
Ultra Champion

I see @MuS - so, why isn't it a feature after years where people keep asking and needing this feature, that makes clusters of sourcetypes handled uniformly?

0 Karma

MuS
SplunkTrust
SplunkTrust

I don't know ¯\_(ツ)_/¯ you can log an enhancement request for it if you like 😉

0 Karma

ddrillic
Ultra Champion

I will sure do that @MuS - I love this hidden powerful capability.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi ankithreddy777,

there is no official and supported wildcard matching on sourcetype, see the docs http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf

**[source::<source>] and [host::<host>] stanza match language:**

Match expressions must match the entire name, not just a substring. If you
are familiar with regular expressions, match expressions are based on a full
implementation of PCRE with the translation of ..., * and . Thus . matches a
period, * matches non-directory separators, and ... matches any number of
any characters.

it only mentions source or host, but not sourcetype.

Hope this helps ...

cheers, Mus

ankithreddy777
Contributor

Thank you MuS.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...