Hello,
Our naming convention has a relatively strict set of rules on it.
e.g.
datacenter+envionmentnumber+securityzone+role+increment.
NY0099HTTPD001
Right now, I find myself add an extraction in EVERY source type I do to break that up as key value pairs for users. Is there a way to do this globally?
Adding to what @acharlieh has mentioned, if you mention the extraction under default stanza, it should take precedence and apply to every sourcetype.
Example
EXTRACT-extract_ip = (?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})
[foo]
.......
Hope this helps. Thanks!
Raghav
Not in the UI, but I would think you could define a named REPORT outside of all stanzas in props.conf, or define it in a wild carded stanza:
http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf