Does props.conf support wildcards?

daniel333 · ‎07-13-2016

All,

I found myself writing this props.conf today.

Say I have this:

[tomcat:src:server]
EXTRACT-springapp_name = /var/log/containerlogs/(?.+)/\d in source
EXTRACT-containerid = /var/log/containerlogs/.+/(?.+)/ in source

[tomcat:src:access]
EXTRACT-springapp_name = /var/log/containerlogs/(?.+)/\d in source
EXTRACT-containerid = /var/log/containerlogs/.+/(?.+)/ in source

I could I just do this?

[tomcat:src:*]
EXTRACT-springapp_name = /var/log/containerlogs/(?.+)/\d in source
EXTRACT-containerid = /var/log/containerlogs/.+/(?.+)/ in source

the_wolverine · ‎07-13-2016

I have seen wildcards in source are buggy and don't work as expected. File bugs.

somesoni2 · ‎07-13-2016

I believe the stanza for sourcetype doesn't support wild-card/regular expression. The stanza for host:: and source:: do.

http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Propsconf

[<spec>]
<spec> can be:
1. <sourcetype>, the source type of an event.
2. host::<host>, where <host> is the host, or host-matching pattern, for an
                 event.
3. source::<source>, where <source> is the source, or source-matching
                     pattern, for an event.

dshpritz · ‎07-13-2016

Not officially. Should it? Yes! But no, it does not.

An unofficial/unsupported/could break in the future solution is this:
http://blogs.splunk.com/2014/07/31/quick-tip-wildcard-sourcetypes-in-props-conf/

So you would use something like:

[(?::){0}tomcat:src:*]

Again, this is an undocumented way of doing this, so Splunk could take that away at any point, so keep that in mind.

Dave

Does props.conf support wildcards?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases