Digital Resilience Pays Off
How resilient is your organization? Learn how to mature your digital resilience with this free guide.
Quick Tip: Wildcard Sourcetypes in Props.conf
By
Jason Conger
Here is a quick one I use often. Here is an excerpt from props.conf.spec:
[<spec>] * This stanza enables properties for a given <spec>. <spec> can be: 1. <sourcetype>, the source type of an event. 2. host::<host>, where <host> is the host, or host-matching pattern, for an event. 3. source::<source>, where <source> is the source, or source-matching pattern, for an event. 4. rule::<rulename>, where <rulename> is a unique name of a source type classification rule. 5. delayedrule::<rulename>, where <rulename> is a unique name of a delayed source type classification rule. These are only considered as a last resort before generating a new source type based on the source seen.
However, I often want to wildcard a sourcetype for things like lookups. Here is an example, suppose I have the following sourcetypes:
- acme:users
- acme:logins
- acme:sessions
It would be nice to have a stanza in props.conf that read something like:
CAUTION – THIS DOES NOT WORK
[acme:*] LOOKUP-acme = lookup acme_users user_id AS user_id OUTPUTNEW user_name AS user_name FirstName AS FirstName LastName AS LastName
So that doesn’t work, but this regex magic does work:
[(?::){0}acme:*]
LOOKUP-acme = lookup acme_users user_id AS user_id OUTPUTNEW user_name AS user_name FirstName AS FirstName LastName AS LastName
Related Articles
About Splunk
The world’s leading organizations rely on Splunk, a Cisco company, to continuously strengthen digital resilience with our unified security and observability platform, powered by industry-leading AI.
Our customers trust Splunk’s award-winning security and observability solutions to secure and improve the reliability of their complex digital environments, at any scale.
Subscribe to our blog
Get the latest articles from Splunk straight to your inbox.
Connect with Splunk on X
Follow @Splunk
