Getting Data In

Can you have a wildcard in a props.conf stanza header when matching sourcetypes?

erga00
Path Finder

I have some settings that I want to apply to several sourcetypes with similar names. Can I do something like this in props.conf?

[examplesourcetype*]

stuff...

Instead of:

[examplesourcetype1]

[examplesourcetype2]
...and so on.

The documentation doesn't say it's forbidden but it doesn't explicitly say its possible either. You can do wildcards with sources & hosts so it's not such a stretch to think sourcetypes should work too.

Does anyone know for sure either way?

Tags (1)

yannK
Splunk Employee
Splunk Employee

Hi you can have wildcards in props.conf

but the following priority rules apply : exact > widlcard, and alphabetical A > B
so if you need, try adding a priority parameter :
exact stanza = default priority 100
wildcard stanza = default priority 10
highest priority wins of course.

see http://docs.splunk.com/Documentation/Splunk/4.3.1/admin/Attributeprecedencewithinafile

Jason
Motivator

Yes, you can, though it's not documented clearly (or at all). For host:: and source:: stanzas, you can simply use the * character for a wildcard. But for sourcetype, you need to use the following odd syntax: (?::){0}

For example:

[(?::){0}WinEventLog:*]
REPORT-myfield = do_some_stuff

fervin
Path Finder

I have opened a support ticket requesting clarification on this (case 321848). As we drive HTTP Event Collector (EC) adoption, I think it's going to be necessary to set props based on a sourcetype prefix. If we issue two EC tokens which define sourcetype=ec:aspnet:application1 and sourcetype=ec:aspnet:application2 respectively, the ideal configuration would be to configure props on sourcetype=ec:aspnet:* rather than maintaining separate directives.

0 Karma

helge
Builder

@fervin: Please post any more information you may receive on this. Thanks!

0 Karma

helge
Builder

This same solution is presented in a 2014 Splunk blog article written by Splunk's Jason Conger. However, Splunk's Joshua Rodman commented: "This is not supported product functionality, and relying on it is extremely unwise."

It would be good to have an official recommendation as to whether this "hack" is supported. Or, better yet, Splunk should support wildcard for sourcetypes, too!

Blog article mentioned: http://blogs.splunk.com/2014/07/31/quick-tip-wildcard-sourcetypes-in-props-conf/

0 Karma

bbingham
Builder

I've personally never tried this, as I don't have many sourcetypes with similar names, but I think you're more then ok.

From the docs:

When setting a [<spec>] stanza, you can use the following regex-type syntax:
... recurses through directories until the match is met.
*   matches anything but / 0 or more times.
|   is equivalent to 'or'
( ) are used to limit scope of |.

And since "spec" is defined as:

<spec> can be:
 1. <sourcetype>, the source type of an event.
 2. host::<host>, where <host> is the host for an event.
 3. source::<source>, where <source> is the source for an event.
 4. rule::<rulename>, where <rulename> is a unique name of a source type classification rule.
 5. delayedrule::<rulename>, where <rulename> is a unique name of a delayed source type classification rule.

I would say that though they don't "explicitly" say it's possible, they imply it's a valid match. The bigger thing to make sure of is the spec matching conditions and make sure your regex is written in a way to only match your desired "sourcetype1" specs.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...