Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is my input not getting parsed if I use wildcards?

ankithreddy777
Contributor
‎08-09-2018 03:37 PM

Hi

I have a input with sourcetype [eventlog].

In props.conf If I use sourcetype as below to define settings it is working.
[eventlog]
...

But if I use wildcards as below my input is not getting parsed according to the configurations defined under below stanza.
[eventlog*]
...
...

May I know if there is any reason?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎08-09-2018 03:49 PM

Hi ankithreddy777,

there is no official and supported wildcard matching on sourcetype, see the docs http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf

**[source::<source>] and [host::<host>] stanza match language:**

Match expressions must match the entire name, not just a substring. If you
are familiar with regular expressions, match expressions are based on a full
implementation of PCRE with the translation of ..., * and . Thus . matches a
period, * matches non-directory separators, and ... matches any number of
any characters.

it only mentions source or host, but not sourcetype.

Hope this helps ...

cheers, Mus

View solution in original post

Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎08-09-2018 04:30 PM

@ankithreddy777 - keep please in mind that even though it's not officially supported, it works well for us. Something like -

[(?::){0}*<sourcetype tail name>]

Please refer to the following link in which @somesoni2 explained it - How can we apply TRUNCATE across many sourcetypes?

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎08-09-2018 04:46 PM

Add see here https://answers.splunk.com/answers/8505/is-it-possible-to-use-wildcards-in-sourcetype-props-conf-sta... @jrodman 's comment from 2012 why you should not rely on it ...

0 Karma
Reply
Solved! Jump to solution

ankithreddy777
Contributor
‎08-10-2018 11:15 AM

Hi @ddrillic - Using wildcards in sourcetype like above follow stanza precedence in ASCII priority?.

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎08-09-2018 05:26 PM

I see @MuS - so, why isn't it a feature after years where people keep asking and needing this feature, that makes clusters of sourcetypes handled uniformly?

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎08-09-2018 05:36 PM

I don't know ¯\_(ツ)_/¯ you can log an enhancement request for it if you like 😉

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎08-09-2018 05:43 PM

I will sure do that @MuS - I love this hidden powerful capability.

0 Karma
Reply
Solved! Jump to solution
Solution

MuS
Legend
‎08-09-2018 03:49 PM

Hi ankithreddy777,

there is no official and supported wildcard matching on sourcetype, see the docs http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf

**[source::<source>] and [host::<host>] stanza match language:**

Match expressions must match the entire name, not just a substring. If you
are familiar with regular expressions, match expressions are based on a full
implementation of PCRE with the translation of ..., * and . Thus . matches a
period, * matches non-directory separators, and ... matches any number of
any characters.

it only mentions source or host, but not sourcetype.

Hope this helps ...

cheers, Mus

Reply
Solved! Jump to solution

ankithreddy777
Contributor
‎08-09-2018 04:05 PM

Thank you MuS.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...