I want to know if its possible in props.conf to create one stanza for multiple sourcetypes that doesn't use regex.
I want all of my linux logs to check the hostname vs a lookup table that has a plethora of data in it. I need it to check multiple sourcetypes and I don't want to have to copy and paste the stanza over and over.
It seems like it should be simple:
[sourcetype1|sourcetype2|sourcetype3]
LOOKUP-test = lookup_test host OUTPUT ip
You can use wildcards like this:
[(?:::){0}sourctype*]