Solved: props.conf - Issue with [<spec>] regex-like syntax

SplunkMan96 · ‎07-14-2023

I'm trying to specify a single stanza in props.conf, with FIELDALIAS and EVAL expressions, for two different sourcetypes, "Snare:Security" and "XmlWinEventLog". However, when I use an OR pipe to specify both sourcetypes in the [<spec>], like so:

[Snare:Security|XmlWinEventLog]

neither sourcetype has the rules applied to it. Inspecting "source types" in my search head shows that the rules have been applied to the sourcetype "Snare:Security|XmlWinEventLog", instead of both the individual sourcetypes.

Am I not using the pipe correctly? Per the splunk documentation:

**[<spec>] stanza patterns:**

When setting a [<spec>] stanza, you can use the following regex-type syntax:
... recurses through directories until the match is met
or equivalently, matches any number of characters.
* matches anything but the path separator 0 or more times.
The path separator is '/' on unix, or '\' on Windows.
Intended to match a partial or complete directory or filename.
| is equivalent to 'or'
( ) are used to limit scope of |.
\\ = matches a literal backslash '\'.

It seems like it should work. I've tried placing parenthesis around the whole expression and around each individual sourcetype.

PickleRick · ‎07-14-2023

Just look inside Splunk_TA_windows 😉

[(?::){0}WinEventLog:*]
TRANSFORMS-Fixup = ta-windows-fix-classic-source,ta-windows-fix-sourcetype

[(?::){0}XmlWinEventLog:*]
TRANSFORMS-XmlFixup = ta-windows-fix-xml-source,ta-windows-fix-sourcetype

View solution in original post

richgalloway · ‎07-14-2023

If two sourcetypes use the exact same settings then perhaps they should be a single sourcetype. Also, copying lines to make another sourcetype takes less effort than you've expended so far. 🙂

I've never seen anyone use a regular expression in a props.conf stanza, but it does work in inputs.conf so should work in props.conf. The catch is the regex engine is only invoked when a wildcard is detected. I believe that is not documented.

---
If this reply helps you, Karma would be appreciated.

PickleRick · ‎07-14-2023

Just look inside Splunk_TA_windows 😉

[(?::){0}WinEventLog:*]
TRANSFORMS-Fixup = ta-windows-fix-classic-source,ta-windows-fix-sourcetype

[(?::){0}XmlWinEventLog:*]
TRANSFORMS-XmlFixup = ta-windows-fix-xml-source,ta-windows-fix-sourcetype

SplunkMan96 · ‎07-14-2023

This works, thanks! Using [(?::){0}Snare:Security|XmlWinEventLog]as the stanza specifier applies the rules to both sourcetypes.

In response to the original reply, I would combine the sourcetypes, but they do have meaningfully different formats. As you can see, some come direct from Windows machines in XML format and some are forwarded over syslog using Snare, and have been converted to TSV format. I've translated fields into CIM format for each case, but the raw text still differs, so I feel the sourcetype should as well. I could, of course, copy the same text to two stanzas, but in my opinion that's pretty messy.

I tried adding wildcards to the sourcetype, but it doesn't work as intended. This isn't intended to be actual regex, but the regex-like syntax encompassing those four operators (..., *, |, ()) specified in Splunk's props.conf definition.

props.conf - Issue with [<spec>] regex-like syntax

props.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation