topic Re: Tips on how to create props.conf on Splunk cloud in Getting Data In

Tips on how to create props.conf on Splunk cloud

splunkisaurus — Tue, 09 Dec 2025 18:44:34 GMT

Greetings,

I am trying to create a little TA to run a command to collect status for the nessus agent. I have it to the point of running the command and sending data in but the line breaking is not working correctly. I tried using the Add Data wizard but it seems to ignore the Should Line Merge = true, each line is an event. I'm new to cloud and maybe I don't know the best way to build a TA, what is the best way to do this?

My primary problem is how do I take the following output from the script and get it loaded into one event?

Running: Yes
Safe Mode: No
Plugins loaded: Yes
Linked to: nm1.tn.gov:8834
Link status: Connected to lorem.ipsum.gov:8834
Last successful connection with controller: 4 secs ago
Proxy: None
Plugin set: 202512062114
Scanning: No (0 jobs pending, 0 smart scan configs)
Scans run today: 0 of 10 limit
Last scanned: 1765177066
Last connect: 1765301522
Last connection attempt: 1765301522

Re: Tips on how to create props.conf on Splunk cloud

bowesmana — Tue, 09 Dec 2025 22:25:03 GMT

Something like the following

[sourcetype] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]{2}) TIME_FORMAT=%s TIME_PREFIX=Last connection attempt:\s* MAX_TIMESTAMP_LOOKAHEAD=11

with the assumption that you have blocks of data where the event break is a double linefeed/CR between events. See LINE_BREAKER. Timestamp recognition is done with TIME_PREFIX, so adjust for the timestamp you want.

If this is just a single event from a running script, then you can do this instead

[your_sourcetype] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]Running) TIME_PREFIX=Last connection attempt:\s*

which will treat the event as starting with Running, it will start a new event when it finds Running and as this occurs only once, it will put it all into the single event

Variations on a theme here are setting LINE_BREAKER to something that will never match, e.g.

([\r\n]+end_of_file)

The best way to write a TA is to create yourself a basic simple app and include the props.conf for that definition and upload it as your own app.

Re: Tips on how to create props.conf on Splunk cloud

PrewinThomas — Wed, 10 Dec 2025 09:08:50 GMT

@splunkisaurus

Why dont you output JSON from your script so Splunk ingests clean structured events.

You can also use props.conf if you need to split the events. In that case, you can rely on LINE_BREAKER alone and omit both SHOULD_LINEMERGE and BREAK_ONLY_BEFORE

For eg:

[nessus_agent_status] SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE = ^Running: LINE_BREAKER = ([\r\n]+)Running: TRUNCATE = 0 DATETIME_CONFIG = CURRENT

Regards,
Prewin
🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Re: Tips on how to create props.conf on Splunk cloud

ddrillic — Thu, 25 Dec 2025 00:32:49 GMT

This one makes perfect sense to me -

[your_sourcetype] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]Running) TIME_PREFIX=Last connection attempt:\s*

Re: Tips on how to create props.conf on Splunk cloud

tscroggins — Fri, 26 Dec 2025 22:12:19 GMT

This will eat/discard "Running," though:

LINE_BREAKER = ([\r\n]Running)

and the event will be:

: Yes Safe Mode: No Plugins loaded: Yes ...

In my own work with Nessus Agent, with or without Splunk, I take an approach similar to @PrewinThomas's suggestion and convert, e.g., the output of 'nessuscli agent status --local --show-uuid' to a PowerShell object, a JSON object, or whatever format makes sense for the consumer. If I were doing this today in Splunk, I would use JSON and an accelerated data model (not INDEXED_EXTRACTIONS) or field/value transformations like field_name=field_value that work with tstats and PREFIX().

Re: Tips on how to create props.conf on Splunk cloud

ddrillic — Sun, 28 Dec 2025 21:57:06 GMT

You are right @tscroggins, it should be more like -

LINE_BREAKER = ([\r\n]+)(?=Running)

A positive lookahead that checks, without consuming.

Re: Tips on how to create props.conf on Splunk cloud

richgalloway — Sun, 28 Dec 2025 22:33:49 GMT

Positive lookahead wastes resources. Over millions of events, those extra cycles add up to excess SVC consumption. This works better

LINE_BREAKER = ([\r\n]+)Running

Re: Tips on how to create props.conf on Splunk cloud

ddrillic — Mon, 29 Dec 2025 15:04:34 GMT

Thank you @richgalloway , so we are "losing" the Running word from the event?

Re: Tips on how to create props.conf on Splunk cloud

ddrillic — Tue, 30 Dec 2025 01:22:57 GMT

Just checked -

LINE_BREAKER = ([\r\n]+)Running

"Running" is still part of the _raw data after ingestion.

Re: Tips on how to create props.conf on Splunk cloud

ddrillic — Tue, 30 Dec 2025 17:17:19 GMT

One more thing ; -) @bowesmana , @richgalloway , in general, should we consider using the EVENT_BREAKER on the Universal Forwarder?

Re: Tips on how to create props.conf on Splunk cloud

tscroggins — Tue, 30 Dec 2025 17:36:09 GMT

Yes, although be mindful of the (minimal) local overhead. Enabling event breaker will minimize pipeline stalls and improve load balancing if you're sending to multiple receivers. Throughput will still be limited by the limits.conf [thurput] stanza maxKBps setting, ingest pipelines, queues, receiver capacity, etc.

Re: Tips on how to create props.conf on Splunk cloud

richgalloway — Tue, 30 Dec 2025 20:26:37 GMT

Always. It never hurts to have it and can help when the UF has to break an S2S packet. Don't forget to also set EVENT_BREAKER_ENABLE=true.

Re: Tips on how to create props.conf on Splunk cloud

richgalloway — Tue, 30 Dec 2025 20:28:12 GMT

No, you are not losing "Running" from each event. Only the first capture group in LINE_BREAKER is discarded from the event.

However, positive and negative lookaheads do not perform well in Splunk so they should be avoided.