Trick to using wildcards in Splunk props.conf

Hello Everyone and welcome again to Old Logs New Tricks In this post we can talk quickly about Splunk and using wildcards in props.conf in your apps. The problem is that Splunk doesn't respect the wildcards, that is (*), in props.conf. You would think that something like: [host::*] would be easily suitable for Splunk configuations but it is not. BUT NEVER FEAR there is a way to work around this. In the last post you saw a brief example of this but here it is again: [(?::){0}host::*] Placing (?::){0} before your stanza spec will make it allow the wildcard. So if you wanted to use a sourcetype, say there were 5 that all began with sample*: sample1 sample2 sample3

sample4

sample5 you could use a sourcetype spec stanza like this to include all of them in one: [(?::){0}sample*]

Hopefully this saves you some time and headaches! Have a great day!