Hi,
In my live splunk environment, I have a syslog receiver on a Linux machine putting all incoming logs in /opt/splunk/var/log/syslog/
In the syslog folder, sub folders are created for each syslog source and in that sub folder, each source's log files are written down.
Example: /opt/splunk/var/log/syslog/example123-lx0001-10.10.10.10/example.log
I then pull those log files into Splunk via an agent/UF.
That syslog receiver (that's actually several machines) receives logs from several hundreds of hosts and what I want to do is to apply a props configuration on every source that includes lx001 in the host name of the syslog source.
What I've tried, but not gotten to work:
[source::/opt/splunk/var/log/syslog/*lx0001*]
I would be so glad if someone could lead me in the right direction.
... View more