Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to match all hosts in props.conf?

Yaichael
Communicator
‎01-31-2017 07:34 AM

I'm looking to match and filter upcoming events of all hosts. Under SPLUNK_HOME\etc\apps\search\local\props.conf, I tried the following, but I'm not getting the result that I want.

[host::.]
[host::.*]
[host::^.*]
[host::*]

I troubleshot my regular expression at regex101.com and it is matching correctly.

Any ideas?

Thanks!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-31-2017 07:59 AM

Hi Yaichael,
I usually use sourcetype in props.conf, because I found many problems using host or source.
Every way you have to define your stanzas by sourcetype in your props.conf.
So in each props.conf stanza you can add 

TRANSFORMS-sourcetype=set_nullqueue,set_sourcetype

and in transforms.conf

[set_nullqueue]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue

[set_sourcetype]
REGEX=your_regex
DEST_KEY = queue
FORMAT = indexQueue

In this way you discard all and index events that match your_regex.
if you want to index all and discard the events that match your regex, you have to use
props.conf

TRANSFORMS-sourcetype=set_sourcetype,set_nullqueue

transforms.conf

[set_nullqueue]
    REGEX=your_regex
    DEST_KEY=queue
    FORMAT=nullQueue

    [set_sourcetype]
    REGEX=.
    DEST_KEY = queue
    FORMAT = indexQueue

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-31-2017 07:59 AM

Hi Yaichael,
I usually use sourcetype in props.conf, because I found many problems using host or source.
Every way you have to define your stanzas by sourcetype in your props.conf.
So in each props.conf stanza you can add 

TRANSFORMS-sourcetype=set_nullqueue,set_sourcetype

and in transforms.conf

[set_nullqueue]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue

[set_sourcetype]
REGEX=your_regex
DEST_KEY = queue
FORMAT = indexQueue

In this way you discard all and index events that match your_regex.
if you want to index all and discard the events that match your regex, you have to use
props.conf

TRANSFORMS-sourcetype=set_sourcetype,set_nullqueue

transforms.conf

[set_nullqueue]
    REGEX=your_regex
    DEST_KEY=queue
    FORMAT=nullQueue

    [set_sourcetype]
    REGEX=.
    DEST_KEY = queue
    FORMAT = indexQueue

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

Yaichael
Communicator
‎02-02-2017 04:13 AM

Thanks, cusello!

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...