Splunk Enterprise

How to Override source types on a per-event basis with source and wildcard in stanza

SIEMStudent
Path Finder

Hi Splunkers,

for an addon I'm making, I need to perform a sourcetype override.
The general mechanis is clearly explained on this documentation: Override source types on a per-event basis and I used it with different result.

If I use, in the props.conf file, a sourcetype like <spec>, it works fine; so, if my data born with sourcetype A, and A is puttend in the props.conf as spec, and I want to override it with B, where B is putted in transforms.conf under the proper regex, nothing goes wring and I achieve the desiderd result.

Now, suppose I want switch, in prop.conf file for <spec> parameter, from a sourcetype to a source and that this source is a file under a specific location. Of course, I could put the full path of source; but, for different reasons, this path may change in our production environment, so I need to switch from full path to a partial one; the worst case is whre we must change from:

 

 

C:\sub1\sub2\sub3.test_file.txt

 

 

to:

 

 

...\test_file.txt

 

 

So, my question is: what is the proper wildcard syntax to achieve this purpose? I tried until now:

 

 

...\test_file.txt
C:\...\test_file.txt
//C:\...\test_file.txt

 

 

but they does not work and the sourcetype is not overriden.

Labels (1)
0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...