topic Re: Line breaking for output via Powershell Script in Getting Data In

Line breaking for output via Powershell Script

shugup2923 — Fri, 08 May 2020 08:30:38 GMT

I have created an app with for running powershell script which gives output as below-

@{Date=05/08/2020;  ARRAY=Server1; LATEST SNAPSHOT(In Days)=1; LATEST SNAPSHOT DATE=05/07/2020; OLDEST SNAPSHOT(In Days)=62}
@{Date=05/08/2020;  ARRAY=Server2; LATEST SNAPSHOT(In Days)=1; LATEST SNAPSHOT DATE=05/07/2020; OLDEST SNAPSHOT(In Days)=62}
@{Date=05/08/2020;  ARRAY=Server3; LATEST SNAPSHOT(In Days)=1; LATEST SNAPSHOT DATE=05/07/2020; OLDEST SNAPSHOT(In Days)=62}
@{Date=05/08/2020;  ARRAY=Server3; LATEST SNAPSHOT(In Days)=0; LATEST SNAPSHOT DATE=05/08/2020; OLDEST SNAPSHOT(In Days)=112}

These events are coming as a single event, I need every line as a separate event for which I tried giving props.conf for my sourcetype as

[my_sourcetype]
LINE_BREAKER =([\r\n]+)
SHOULD_LINEMERGE = false

But after this also,I am not able to get separate events ? Any suggestion over this ?

Re: Line breaking for output via Powershell Script

shivanshu1593 — Fri, 08 May 2020 12:53:04 GMT

Try and implement the same regex ([\r\n]+) on your search head as well,by going to sourcetypes, your sourcetype and adding the regex there.
If that doesn't help you try this regex on props and the search head.

\}[\r\n]+[@]

Let me know if that helps.

Thank you,

Re: Line breaking for output via Powershell Script

shugup2923 — Fri, 08 May 2020 13:33:31 GMT

I have a search head cluster, So is there any another way to update sourcetype on search head cluster ?
Or we can add on any search head member- by going to sourcetype>add new sourcetype >adding it there ?

Re: Line breaking for output via Powershell Script

shivanshu1593 — Fri, 08 May 2020 14:08:00 GMT

Could you try the regex which I gave on the props.conf only and see if that breaks the events for you. Please restart the service as well.

Where is your props.conf stored? HF, Indexers?

Re: Line breaking for output via Powershell Script

shugup2923 — Fri, 08 May 2020 14:43:14 GMT

My props.conf is stored universal forwarder ? will it work from universal forwarder ?
or do i need this to updated on indexers ?

Re: Line breaking for output via Powershell Script

shivanshu1593 — Fri, 08 May 2020 15:05:40 GMT

Yeah. This will not work on Universal forwarders. You'll have to implement it on your Indexers. It'll work then.

Re: Line breaking for output via Powershell Script

shugup2923 — Fri, 08 May 2020 16:21:34 GMT

Yes, It worked ,thanks so much

Re: Line breaking for output via Powershell Script

shugup2923 — Fri, 08 May 2020 16:25:58 GMT

What can I do so fields are automatically extracted, such as
NAS ARRAY
LATEST SNAPSHOT(In Days)
OLDEST SNAPSHOT(In Days)
LATEST SNAPSHOT DATE
@{Date=05/08/2020; NAS ARRAY=SERVER1; LATEST SNAPSHOT(In Days)=1; LATEST SNAPSHOT DATE=05/08/2020; OLDEST SNAPSHOT(In Days)=107}
host = DC2VM-AUTOM-I01 source = Powershell sourcetype = NAS:Snapshot

As of now ARRAY and DATE is only extracted

Re: Line breaking for output via Powershell Script

shivanshu1593 — Fri, 08 May 2020 16:56:28 GMT

You have multiple ways to extract these events. You can extract them on your search head using fields extractor, you can also extract them using your props.conf, by using different regexes for different fields. Whatever suits your current requirement the best. I'm using both the methods to extract some fields with different types of data.

Re: Line breaking for output via Powershell Script

to4kawa — Sat, 09 May 2020 00:07:04 GMT

There is not REGEX capture. please fix it.

[my_sourcetype]
pulldown_type = true
LINE_BREAKER = (@{|}[\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_FORMAT = %m/%d/%Y;
TIME_PREFIX = Date=
category = Custom
description = powershell output
disabled = false
EXTRACT-extractFields = Date=(?<Date>[^;]+);\s*ARRAY=(?<ARRAY>[^;]+);\s[^=]+=(?<latest_Snapshot>\d);\s[^=]+=(?<latest_Snapshot_date>[^;]+);\s[^=]+=(?<oldest_Snapshot>\d+)