Does anyone know which props.conf keys work with w...

sideview · ‎10-14-2013

I'm having to use wildcarded stanzas for a lot of my sourcetypes in props.conf, and although I'd like to have the core config appear just once in the file, I'm finding that some keys actually do not function in wildcarded stanzas - these keys only work when present in a plain old [actualSourcetypeName] stanza.

So far I've found that CHECK_FOR_HEADER, SHOULD_LINEMERGE and pulldown_type really have to be in a plain old stanza and do not work in wildcarded props stanzas.

On the other extreme, all EVAL-*, LOOKUP-* and REPORT-* seem to work fine in the wildcarded stanzas.

I'm still testing my way through this and I have yet to test TIME_FORMAT, TIME_PREFIX, BREAK_ONLY_BEFORE_DATE MAX_TIMESTAMP_LOOKAHEAD and initCrcLength. It's feeling like these too will also not work in the wildcarded stanzas.

But does anyone know of a reference in the docs that comes out and says which attributes work this way and which don't?

alacercogitatus · ‎10-15-2013

I'd agree with sowings, it seems as if Index time extractions are not wildcard-able. You can add TZ to the list that won't wildcard. I was trying to force some IIS TZ and it didn't work on iis-3, but it did on iis.

I don't know if this is mentioned in the Docs anywhere, I haven't seen it.

sowings · ‎10-15-2013

After a preliminary glance at the keys you name, it sounds like it might be the distinction between parse time and search time.

Does anyone know which props.conf keys work with wildcarded stanzas and which dont?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!