Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does wildcard sourcetypes in props.conf still work for version 7.0.1?

hettervik
Builder
‎02-09-2018 06:28 AM

Hi,

I know it should be possible to use wildcard sourcetypes in props.conf using a some regex magic, as explained here:

https://www.splunk.com/blog/2014/07/31/quick-tip-wildcard-sourcetypes-in-props-conf.html

The stanza should look something like this:

[(?::){0}acme:*]

However, at the customer where I'm currently at, I don't get it to work. I've tried changing the sourcetype [stanza] to one of the specific sourcetypes I wanted to hit with the wildcard stanza, and then it worked, so I know the problem isn't due to permissions or anything. Can anyone confirm if the wildcard regex magic is still supported in 7.0.1, and if not, if there are any workarounds? If it is supported, does anyone have an idea of what might be the problem?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hettervik
Builder
‎02-10-2018 06:28 AM

I found the answer to my own question. My sourcetypes had slashes in them. As stated in props.conf.

*   matches anything but the path separator 0 or more times.
    The path separator is '/' on unix, or '\' on windows.
    Intended to match a partial or complete directory or filename.

Splunk though that the slashes in my sourcetypes was path separators, and thus the asterisk wildcard "stopped" whenever it hit a slash in the sourcetype name, and didn't match the whole name. The solution was to use an ellipsis (...) instead, which allows for "recursive" matching beyond slashes. The final stanza I ended up with looked like the following.

[(?::){0}acme:...]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

hettervik
Builder
‎02-10-2018 06:28 AM

I found the answer to my own question. My sourcetypes had slashes in them. As stated in props.conf.

*   matches anything but the path separator 0 or more times.
    The path separator is '/' on unix, or '\' on windows.
    Intended to match a partial or complete directory or filename.

Splunk though that the slashes in my sourcetypes was path separators, and thus the asterisk wildcard "stopped" whenever it hit a slash in the sourcetype name, and didn't match the whole name. The solution was to use an ellipsis (...) instead, which allows for "recursive" matching beyond slashes. The final stanza I ended up with looked like the following.

[(?::){0}acme:...]
0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎02-09-2018 07:41 AM

I don't know if wildcard sourcetypes work, but I've had success with using the [default] stanza in props.conf.

[default]
LOOKUP-src_user = user_ips src AS ip
0 Karma
Reply
Solved! Jump to solution

chadmedeiros
Path Finder
‎06-13-2019 02:28 PM

While this works, it doesn't address the need of the OP. If you used a [default] stanza in an app that is shared globally, the LOOKUP would be applied to every single index & sourcetype -- which is no bueno.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...