Splunk Search

Precedence of explicit vs wildcard in props.conf

Jason
Motivator

I'm setting the timezone for hundreds of forwarders at once by using props.conf wildcards on host:

[host::DN*]
# Denver Hosts
TZ = America/Denver

However, there are a few hosts that have timezones mis-set. Will setting the following explicit entry in the same file (in etc/apps/theapp/local) override the above wildcard?

[host::DNSERVER9]
# Misconfigured to Central time
TZ = America/Chicago

If not, can I override by putting the setting in a different app, (earlier lexographically), such as etc/apps/appname/local?

Tags (1)
1 Solution

Jason
Motivator

According to props.conf.spec, it seems that the literal will override the pattern/wildcard by default:

If not specified, the default value for the priority field for:
     - pattern matching stanzas is 0
     - literal matching stanzas is 100

View solution in original post

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

lexicographic app will not override. however, literal (non-wildcard) matches in props.conf will override wildcard matches.

Jason
Motivator

According to props.conf.spec, it seems that the literal will override the pattern/wildcard by default:

If not specified, the default value for the priority field for:
     - pattern matching stanzas is 0
     - literal matching stanzas is 100
0 Karma

Jason
Motivator

And also check the spec for the ability to set priority to override things as need be.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...