<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Script Input broken into events in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Script-Input-broken-into-events/m-p/100114#M20928</link>
    <description>&lt;P&gt;Are you seeing any errors in splunkd.log?&lt;/P&gt;</description>
    <pubDate>Tue, 15 Oct 2013 19:29:30 GMT</pubDate>
    <dc:creator>lukejadamec</dc:creator>
    <dc:date>2013-10-15T19:29:30Z</dc:date>
    <item>
      <title>Script Input broken into events</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Script-Input-broken-into-events/m-p/100113#M20927</link>
      <description>&lt;P&gt;All, &lt;/P&gt;

&lt;P&gt;I have scripted input from PowerShell coming in nicely. The script can generate 1-100 possible results which are formatted like so&lt;/P&gt;

&lt;P&gt;BEGIN&lt;BR /&gt;
var=value&lt;BR /&gt;
var1=value&lt;BR /&gt;
END&lt;/P&gt;

&lt;P&gt;So it pretty clean. But I can end up with near 100 of those blocks. These need to be broken up into seperate events in Splunk. I THINK that is done with Props.conf, I don't honestly use Splunk enough to know for sure. &lt;/P&gt;

&lt;P&gt;So what would my props conf look like? Can someone point me to a working example of breaking up a scripted input? &lt;/P&gt;

&lt;P&gt;Here is an example of the logs coming into splunk and the props.conf file I created&lt;/P&gt;

&lt;P&gt;C:\Windows\system32&amp;gt;set SplunkApp=SH_InternalSystems_SSLCheck_Inputs &lt;BR /&gt;
C:\Windows\system32&amp;gt;cd C:\Program _InternalSystems_SSLCheck_Inputs\bin &lt;BR /&gt;
C:\Program Files\SplunkUniversalForwarder\etc\apps\SH_InternalSystems_SSLCheck_Inputs\bin&amp;gt;C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy RemoteSigned -File .\ssl_check.ps1 &lt;A href="http://www.acompany.com" target="_blank"&gt;www.acompany.com&lt;/A&gt; 443 &lt;BR /&gt;
BEGIN&lt;BR /&gt;
ssl_Target=&lt;A href="http://www.acompany.com" target="_blank"&gt;www.acompany.com&lt;/A&gt;&lt;BR /&gt;
ssl_Issuer=VeriSign Class 3 Extended Validation SSL CA&lt;BR /&gt;
ssl_Port=443&lt;BR /&gt;
ssl_ValidTo=8-13-2015 11:59:59 PM ssl_ValidFrom=8-12-2013 12:00:00 AM&lt;BR /&gt;
END&lt;BR /&gt;
C:\Program Files\SplunkUniversalForwarder\etc\apps\SH_InternalSystems_SSLCheck_Inputs\bin&amp;gt;C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy RemoteSigned -File .\ssl_check.ps1 &lt;A href="http://www.acompetitor.com" target="_blank"&gt;www.acompetitor.com&lt;/A&gt; 443 &lt;BR /&gt;
BEGIN&lt;BR /&gt;
ssl_Target=&lt;A href="http://www.acompetitor.com" target="_blank"&gt;www.acompetitor.com&lt;/A&gt;&lt;BR /&gt;
ssl_Issuer=VeriSign Class 3 Secure Server CA - G3&lt;BR /&gt;
ssl_Port=443&lt;BR /&gt;
ssl_ValidTo=6-7-2014 11:59:59 PM ssl_ValidFrom=6-6-2013 12:00:00 AM&lt;BR /&gt;
END&lt;/P&gt;

&lt;P&gt;Here is my props.conf, where did I go wrong? Where ssl_check is the name of the soucetype. &lt;/P&gt;

&lt;P&gt;[ssl_check]&lt;BR /&gt;
MUST_BREAK_AFTER = ^END$&lt;BR /&gt;
SHOULD_LINEMERGE = true&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 14:58:51 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Script-Input-broken-into-events/m-p/100113#M20927</guid>
      <dc:creator>daniel333</dc:creator>
      <dc:date>2020-09-28T14:58:51Z</dc:date>
    </item>
    <item>
      <title>Re: Script Input broken into events</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Script-Input-broken-into-events/m-p/100114#M20928</link>
      <description>&lt;P&gt;Are you seeing any errors in splunkd.log?&lt;/P&gt;</description>
      <pubDate>Tue, 15 Oct 2013 19:29:30 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Script-Input-broken-into-events/m-p/100114#M20928</guid>
      <dc:creator>lukejadamec</dc:creator>
      <dc:date>2013-10-15T19:29:30Z</dc:date>
    </item>
    <item>
      <title>Re: Script Input broken into events</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Script-Input-broken-into-events/m-p/100115#M20929</link>
      <description>&lt;P&gt;Is your input coming in from a universal forwarder? If I'm not wrong, you have to put the props.conf somewhere else (e.g. on the heavy forwarder or the indexer) for its rules to work since universal forwarders have limited props.conf capability.&lt;/P&gt;

&lt;P&gt;Another thing you can try is to specify the LINE_BREAKER in the props.conf&lt;/P&gt;</description>
      <pubDate>Wed, 16 Oct 2013 00:50:50 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Script-Input-broken-into-events/m-p/100115#M20929</guid>
      <dc:creator>jonahtang</dc:creator>
      <dc:date>2013-10-16T00:50:50Z</dc:date>
    </item>
  </channel>
</rss>

