https://community.splunk.com/t5/Getting-Data-In/Custom-Sourcetype-Challenges/m-p/124536#M25669 <P>The events were separated correctly. The issue I am facing is how to separate the name : value pairs within the atomic events that I've created. Sorry if that was unclear.</P> Tue, 12 Nov 2013 14:36:49 GMT sloshburch 2013-11-12T14:36:49Z https://community.splunk.com/t5/Getting-Data-In/Custom-Sourcetype-Challenges/m-p/124534#M25667 <P>Using splunk 5.0.2 (although tested on splunk 6 as well - same challenges).</P> <P>We're looking to use splunk to store audits of what software is on our systems. In Windows, we're trying to use "<CODE>Get-WmiObject -Class Win32_Product</CODE>" in powershell. This is defined in my inputs.conf as a <CODE>[script://./bin/script.bat] stanza</CODE>.</P> <P>The props.conf for this sourcetype is:</P> <PRE><CODE>[SloshBurchsSourceType] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+)Name DATETIME_CONFIG = CURRENT REPORT-SloshBurchsSourceType = SloshBurchsSourceType </CODE></PRE> <P>A single event in splunk is coming in correctly as a block like this:</P> <PRE><CODE>Name : Adobe Shockwave Player 12.0 Vendor : Adobe Systems, Inc Version : 12.0.4.144 Caption : Adobe Shockwave Player 12.0 InstallLocation : C:\Windows\SysWOW64\Adobe\ InstallDate : 20130917 </CODE></PRE> <P>I've set my transforms.conf to </P> <PRE><CODE>[SloshBurchsSourceType] DELIMS="\r\n", ":" </CODE></PRE> <P>This isn't working - I'm not getting any of the fields. I'm guessing it's because of the : in the InstallLocation.</P> <P>I tried switching to this transform.conf but still nothing. I'm guessing I'm using the regex wrong.</P> <PRE><CODE>[SloshBurchsSourceType] REGEX = (?&lt;_KEY_1&gt;.+)\s+:\s+(?&lt;_VALUE_1&gt;.+) FORMAT = $1::$2 </CODE></PRE> <P>I want my sourcetype to automatically extract any "<CODE>name : value</CODE>" pairs from this without me having to list out the field names. I want splunk to dynamically detect the name value pairs in this sourcetype in the same way that is does, out of the box, for "<CODE>name=value</CODE>" format.</P> <P>Any tips? Ideas what I'm doing wrong?</P> <P>Thanks for any responses!</P> Thu, 31 Oct 2013 18:27:01 GMT https://community.splunk.com/t5/Getting-Data-In/Custom-Sourcetype-Challenges/m-p/124534#M25667 sloshburch 2013-10-31T18:27:01Z https://community.splunk.com/t5/Getting-Data-In/Custom-Sourcetype-Challenges/m-p/124535#M25668 <P>Your LINEBREAKER setting is consuming the "Name" characters at the beginning of the event. I would avoid using LINEBREAKER. Try this instead for <CODE>props.conf</CODE></P> <PRE><CODE>[SloshBurchsSourceType] SHOULD_LINEMERGE=true BREAK_ONLY_BEFORE = ^Name\s+\: DATETIME_CONFIG = CURRENT REPORT-SloshBurchsSourceType = SloshBurchsSourceType </CODE></PRE> <P>I think that your first version of <CODE>transforms.conf</CODE> is probably fine.</P> Fri, 01 Nov 2013 19:26:31 GMT https://community.splunk.com/t5/Getting-Data-In/Custom-Sourcetype-Challenges/m-p/124535#M25668 lguinn2 2013-11-01T19:26:31Z https://community.splunk.com/t5/Getting-Data-In/Custom-Sourcetype-Challenges/m-p/124536#M25669 <P>The events were separated correctly. The issue I am facing is how to separate the name : value pairs within the atomic events that I've created. Sorry if that was unclear.</P> Tue, 12 Nov 2013 14:36:49 GMT https://community.splunk.com/t5/Getting-Data-In/Custom-Sourcetype-Challenges/m-p/124536#M25669 sloshburch 2013-11-12T14:36:49Z https://community.splunk.com/t5/Getting-Data-In/Custom-Sourcetype-Challenges/m-p/124537#M25670 <P>Well, since the string "Name:" is actually consumed by your LINEBREAKER setting, it will throw off all the field extractions. That's why I made this recommendation. Plus, your use of LINEBREAKER also makes your data look different in Splunk than it does in the original file, which could throw users off too.</P> Tue, 12 Nov 2013 18:33:51 GMT https://community.splunk.com/t5/Getting-Data-In/Custom-Sourcetype-Challenges/m-p/124537#M25670 lguinn2 2013-11-12T18:33:51Z