Getting Data In

Can multiple wildcards be used in host:: stanza in props.conf?

edwardrose
Contributor

Is it possible to use multiple wildcards in the host:: stanza in the props.conf file?

[host::svr-*-blah-*]
TRANSFORMS-remove = remove_stuff

So we are trying to remove stuff from multiple hosts in different geographical locations that have very similar names

svr-us-blah-01
svr-us-blah-02
svr-us-blah-03
svr-eur-blah-01
svr-eur-blah-02
svr-eur-blah-03
svr-pac-blah-01
svr-pac-blah-02
svr-pac-blah-03

Each host will collect very similar logs and then forward the logs to Splunk, but we want to dump the noise, so I was hoping that I could just use the [host::svr--blah-] stanza to apply the same props/transforms to each host for dumping the noise.

Will that work?

thanks
ed

0 Karma
1 Solution

manjunathmeti
SplunkTrust
SplunkTrust

Yes, host matching patterns can be used for in [host::]. All the attributes under this stanza are applied to the data from matching hosts. You need to make sure whatever field extractions and data transformation you write under this stanza works for logs coming from all the hosts.

View solution in original post

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

Yes, host matching patterns can be used for in [host::]. All the attributes under this stanza are applied to the data from matching hosts. You need to make sure whatever field extractions and data transformation you write under this stanza works for logs coming from all the hosts.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...