Is it possible to use two stanza specs in props.co...

h3llocomputer · ‎10-28-2019

I have a syslog server that collects all of my network device logs (routers, switches, etc) and I have a Universal Forward set up on this server to send all of these logs to Splunk Cloud. I have a new group of devices sending logs to this syslog server and I need to edit the timezone for these new devices (I cannot edit the timestamp at the source). I know that I will need to change my forward server on the UF and change it to my Heavy Forwarder since as far as I know, I can't do any timestamp parsing on the UF.

Would I be able to use multiple specs to in props.conf to enable me to single out these specific devices AND the specific sourcetype (since I'm using a wildcard in the host spec, I want to be sure I am only getting the "syslog:network" logs)? Example:

[host::CISCO_*] AND [syslog:network]
TZ = America/Chicago

Is this possible, or am I doomed to creating a stanza for each host device?

woodcock · ‎10-28-2019

It is a little known fact that as of v6.6 Indexers will honor the TZ= setting as it exists on the UF in preference to anything that exists on the Indexer. So just use a sourcetype-based setting on the syslog-ng UF.

h3llocomputer · ‎10-28-2019

Interesting. Would this setting live in props.conf on the UF or in some other file?

Is it possible to use two stanza specs in props.conf?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!