Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Does anyone know which props.conf keys work with wildcarded stanzas and which dont?

sideview
SplunkTrust
SplunkTrust
‎10-14-2013 06:10 PM

I'm having to use wildcarded stanzas for a lot of my sourcetypes in props.conf, and although I'd like to have the core config appear just once in the file, I'm finding that some keys actually do not function in wildcarded stanzas - these keys only work when present in a plain old [actualSourcetypeName] stanza.

So far I've found that CHECK_FOR_HEADER, SHOULD_LINEMERGE and pulldown_type really have to be in a plain old stanza and do not work in wildcarded props stanzas.

On the other extreme, all EVAL-*, LOOKUP-* and REPORT-* seem to work fine in the wildcarded stanzas.

I'm still testing my way through this and I have yet to test TIME_FORMAT, TIME_PREFIX, BREAK_ONLY_BEFORE_DATE MAX_TIMESTAMP_LOOKAHEAD and initCrcLength. It's feeling like these too will also not work in the wildcarded stanzas.

But does anyone know of a reference in the docs that comes out and says which attributes work this way and which don't?

Tags (1)
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎10-15-2013 07:14 AM

I'd agree with sowings, it seems as if Index time extractions are not wildcard-able. You can add TZ to the list that won't wildcard. I was trying to force some IIS TZ and it didn't work on iis-3, but it did on iis.

I don't know if this is mentioned in the Docs anywhere, I haven't seen it.

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎10-15-2013 06:54 AM

After a preliminary glance at the keys you name, it sounds like it might be the distinction between parse time and search time.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...