Solved: Can multiple wildcards be used in host:: stanza in...

edwardrose · ‎02-19-2020

Is it possible to use multiple wildcards in the host:: stanza in the props.conf file?

[host::svr-*-blah-*]
TRANSFORMS-remove = remove_stuff

So we are trying to remove stuff from multiple hosts in different geographical locations that have very similar names

svr-us-blah-01
svr-us-blah-02
svr-us-blah-03
svr-eur-blah-01
svr-eur-blah-02
svr-eur-blah-03
svr-pac-blah-01
svr-pac-blah-02
svr-pac-blah-03

Each host will collect very similar logs and then forward the logs to Splunk, but we want to dump the noise, so I was hoping that I could just use the [host::svr--blah-] stanza to apply the same props/transforms to each host for dumping the noise.

Will that work?

thanks
ed

manjunathmeti · ‎02-19-2020

Yes, host matching patterns can be used for in [host::]. All the attributes under this stanza are applied to the data from matching hosts. You need to make sure whatever field extractions and data transformation you write under this stanza works for logs coming from all the hosts.

View solution in original post

manjunathmeti · ‎02-19-2020

Yes, host matching patterns can be used for in [host::]. All the attributes under this stanza are applied to the data from matching hosts. You need to make sure whatever field extractions and data transformation you write under this stanza works for logs coming from all the hosts.

Can multiple wildcards be used in host:: stanza in props.conf?

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?