topic Re: How to create one event per line in scripted innput in Getting Data In

How to create one event per line in scripted innput

bigtyma — Mon, 01 Apr 2013 16:21:28 GMT

I have a scripted file input that is tailing a log file, unfortunately events are not being broken out correctly. I would like one event per line.

Ideas?

Inputs.conf below:

[script://D:\Splunk\etc\apps\sos\bin\sospowershell.cmd oaintfep03.ps1] disabled = false index = main interval = 90 source = oaintfep03 sourcetype = ps

[Sample of data below]

USERENV(dcf8.5ae8) 17:53:05:315 LoadUserProfile: NULL server name USERENV(dcf8.5ae8) 17:53:05:315 LoadUserProfile: no thread token found, impersonating self. USERENV(dcf8.5ae8) 17:53:05:315 GetInterface: Returning rpc binding handle USERENV(364.20c8) 17:53:05:315 IProfileSecurityCallBack: client authenticated. USERENV(364.20c8) 17:53:05:315 MIDL_user_allocate enter USERENV(364.20c8) 17:53:05:315 DropClientContext: Got client token 000009B8, sid = S-1-5-18 USERENV(364.20c8) 17:53:05:315 MIDL_user_allocate enter USERENV(364.20c8) 17:53:05:315 DropClientContext: load profile object successfully made USERENV(364.20c8) 17:53:05:315 DropClientContext: Returning 0 USERENV(364.20c8) 17:53:05:331 MIDL_user_free enter USERENV(dcf8.5ae8) 17:53:05:331 LoadUserProfile: Calling DropClientToken (as self) succeeded USERENV(dcf8.5ae8) 17:53:05:331 CProfileDialog::Initialize : Cookie generated <917DE8361C59FB6371FF057477808B96> USERENV(dcf8.5ae8) 17:53:05:331 CProfileDialog::Initialize : Endpoint generated <IProfileDialog_CE7806EEC5C36D56A877F1B2156E21BB> USERENV(364.102f8) 17:53:05:331 IProfileSecurityCallBack: client authenticated. USERENV(364.102f8) 17:53:05:331 MIDL_user_allocate enter USERENV(364.102f8) 17:53:05:331 LoadUserProfileI: RPC end point IProfileDialog_CE7806EEC5C36D56A877F1B2156E21BB USERENV(364.102f8) 17:53:05:331 In LoadUserProfileP USERENV(364.102f8) 17:53:05:331 LoadUserProfile: Running as client, sid = S-1-5-18 USERENV(364.102f8) 17:53:05:331 ========================================================= USERENV(364.102f8) 17:53:05:331 LoadUserProfile: Entering, hToken = <0xd80>, lpProfileInfo = 0x207bb80 USERENV(364.102f8) 17:53:05:331 LoadUserProfile: lpProfileInfo->dwFlags = <0x0>

Re: How to create one event per line in scripted innput

gfuente — Mon, 01 Apr 2013 16:38:04 GMT

Hello

Edit or create your props.conf file and add:

[ps]
SHOULD_LINEMERGE=false

That should force one event per line

Regards

Re: How to create one event per line in scripted innput

lguinn2 — Mon, 01 Apr 2013 16:38:08 GMT

First, if you have the Splunk *NIX app installed, there is already a sourcetype named ps - and it doesn't match what you are doing here. So if you are using the *NIX app (or think you might in the future), I suggest that you pick a different name for your sourcetype. That might solve the problem altogether, but if it doesn't:

Create the following stanza in props.conf (or add to an existing one):

props.conf

[yoursourcetypename]
SHOULD_LINEMERGE=false

Be sure that you put this props.conf on your indexer (or wherever the data is parsed).

PS - why are you using a scripted input to tail a log file? I would think that a monitor input would be preferable...

Re: How to create one event per line in scripted innput

bigtyma — Mon, 01 Apr 2013 16:52:25 GMT

ps is for Powershell, I am on windows.

Changing props.conf fixed that issue, however my event is now 257 lines long. Should I use max events = 1 to get one event per line?

Using a file monitor had issues since it detected my file as binary, the files are encoded in unicode and I am able to tail the file in the correct encoding in Powershell. It could be better but this mostly works.

I appreciate your help.