Splunk Search

Precedence of explicit vs wildcard in props.conf

Motivator

I'm setting the timezone for hundreds of forwarders at once by using props.conf wildcards on host:

[host::DN*]
# Denver Hosts
TZ = America/Denver

However, there are a few hosts that have timezones mis-set. Will setting the following explicit entry in the same file (in etc/apps/theapp/local) override the above wildcard?

[host::DNSERVER9]
# Misconfigured to Central time
TZ = America/Chicago

If not, can I override by putting the setting in a different app, (earlier lexographically), such as etc/apps/appname/local?

Tags (1)
1 Solution

Motivator

According to props.conf.spec, it seems that the literal will override the pattern/wildcard by default:

If not specified, the default value for the priority field for:
     - pattern matching stanzas is 0
     - literal matching stanzas is 100

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

lexicographic app will not override. however, literal (non-wildcard) matches in props.conf will override wildcard matches.

Motivator

According to props.conf.spec, it seems that the literal will override the pattern/wildcard by default:

If not specified, the default value for the priority field for:
     - pattern matching stanzas is 0
     - literal matching stanzas is 100

View solution in original post

0 Karma

Motivator

And also check the spec for the ability to set priority to override things as need be.

0 Karma