Does props.conf support wildcards?

daniel333 · ‎07-13-2016

All,

I found myself writing this props.conf today.

Say I have this:

[tomcat:src:server]
EXTRACT-springapp_name = /var/log/containerlogs/(?.+)/\d in source
EXTRACT-containerid = /var/log/containerlogs/.+/(?.+)/ in source

[tomcat:src:access]
EXTRACT-springapp_name = /var/log/containerlogs/(?.+)/\d in source
EXTRACT-containerid = /var/log/containerlogs/.+/(?.+)/ in source

I could I just do this?

[tomcat:src:*]
EXTRACT-springapp_name = /var/log/containerlogs/(?.+)/\d in source
EXTRACT-containerid = /var/log/containerlogs/.+/(?.+)/ in source

the_wolverine · ‎07-13-2016

I have seen wildcards in source are buggy and don't work as expected. File bugs.

somesoni2 · ‎07-13-2016

I believe the stanza for sourcetype doesn't support wild-card/regular expression. The stanza for host:: and source:: do.

http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Propsconf

[<spec>]
<spec> can be:
1. <sourcetype>, the source type of an event.
2. host::<host>, where <host> is the host, or host-matching pattern, for an
                 event.
3. source::<source>, where <source> is the source, or source-matching
                     pattern, for an event.

dshpritz · ‎07-13-2016

Not officially. Should it? Yes! But no, it does not.

An unofficial/unsupported/could break in the future solution is this:
http://blogs.splunk.com/2014/07/31/quick-tip-wildcard-sourcetypes-in-props-conf/

So you would use something like:

[(?::){0}tomcat:src:*]

Again, this is an undocumented way of doing this, so Splunk could take that away at any point, so keep that in mind.

Dave

Does props.conf support wildcards?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life