For the source stanza, Splunk uses regular expressions that are PCRE (Perl Compatible Regular Expressions). From props.conf.spec **[source::<source>] and [host::<host>] stanza match language:**
Ma...
See more...
For the source stanza, Splunk uses regular expressions that are PCRE (Perl Compatible Regular Expressions). From props.conf.spec **[source::<source>] and [host::<host>] stanza match language:**
Match expressions must match the entire name, not just a substring. Match
expressions are based on a full implementation of Perl-compatible regular
expressions (PCRE) with the translation of "...", "*", and "." Thus, "."
matches a period, "*" matches non-directory separators, and "..." matches
any number of any characters. Also from props.conf.spec When setting a [<spec>] stanza, you can use the following regex-type syntax:
... recurses through directories until the match is met
or equivalently, matches any number of characters.
* matches anything but the path separator 0 or more times.
The path separator is '/' on unix, or '\' on Windows.
Intended to match a partial or complete directory or filename.
| is equivalent to 'or'
( ) are used to limit scope of |.
\\ = matches a literal backslash '\'. So for mylog_* you could specify source::.../mylog_* It's been a few years on this one, so hope I am right this time!