Looks like you already figured out the first part, but just in case, here's a good reference:
http://www.splunk.com/base/Documentation/latest/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles#First.2C_define_a_field_transform
If you want the extraction to apply to all sourcetypes, then just create your entry in props.conf at the top of the file, outside of any stanza heading. Entries in the file that are not beneath a [stanza] header are considered to be global.
There's no way to do a wildcard like [log4j-*] , at least as of Splunk 4.1. There are three main options:
Define the extraction globally, putting your EXTRACT-xxx or REPORT-xxx line at the top of props.conf.
Define the extraction multiple times, with a separate stanza for each sourcetype
Define the extraction for sourcetype [log4j] , and rename each log4j-xxx sourcetype. Going forward, manually assign the sourcetype so that you don't get the variations.
Option 3 is usually preferable.
... View more