topic Re: How to index a simple dir in Windows Environment in Getting Data In https://community.splunk.com/t5/Getting-Data-In/How-to-index-a-simple-dir-in-Windows-Environment/m-p/316603#M92748 <P>try </P> <P>[mysourcetype]<BR /> LINE_BREAKER = ---ENDDIR([\r\n]+)</P> Wed, 19 Jul 2017 14:16:35 GMT WalshyB 2017-07-19T14:16:35Z How to index a simple dir in Windows Environment https://community.splunk.com/t5/Getting-Data-In/How-to-index-a-simple-dir-in-Windows-Environment/m-p/316602#M92747 <P>Hi guys.<BR /> A simple question (i hope <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> ).<BR /> I need to index <STRONG>in a single event</STRONG> this very very simple Windows .cmd output,</P> <PRE><CODE>19/07/2017-11:27:12,55 Il volume nell'unità C è OSDisk Numero di serie del volume: F445-8CA0 Directory di c:\ 12/11/2015 16:00 &lt;DIR&gt; adsm.sys 09/07/2013 18:07 &lt;DIR&gt; Applicazioni 09/07/2013 16:28 &lt;DIR&gt; Build 20/01/2015 16:03 &lt;DIR&gt; cygwin 13/06/2017 11:52 &lt;DIR&gt; inetpub 09/07/2013 16:55 &lt;DIR&gt; infappdata 09/07/2013 16:21 &lt;DIR&gt; Intel 09/07/2013 18:07 &lt;DIR&gt; IRN 09/07/2013 18:07 &lt;DIR&gt; JETFORM 09/07/2013 18:03 &lt;DIR&gt; Jfsa 27/11/2015 18:01 &lt;DIR&gt; KVRT_Data 09/07/2013 17:48 &lt;DIR&gt; MQSERIES 14/07/2009 04:37 &lt;DIR&gt; PerfLogs 13/06/2017 12:04 &lt;DIR&gt; Program Files 13/06/2017 12:04 &lt;DIR&gt; ProgramData 02/05/2017 12:33 &lt;DIR&gt; Quarantine 19/07/2017 10:27 &lt;DIR&gt; Temp 19/08/2014 11:02 &lt;DIR&gt; tsm_images 05/07/2017 08:39 &lt;DIR&gt; Users 30/06/2017 12:29 &lt;DIR&gt; Windows 30/06/2017 12:29 &lt;DIR&gt; _logfiles 0 File 0 byte 21 Directory 431.218.503.680 byte disponibili ---ENDDIR </CODE></PRE> <P>Now, with default Splunk conf files (props), INDEXER split each line in 1 event, and stops at first new TIMESTAMP,</P> <PRE><CODE>EVENT#1 19/07/2017-11:27:12,55 EVENT#2 Il volume nell'unità C è OSDisk EVENT#3 Numero di serie del volume: F445-8CA0 EVENT#4 Directory di c:\ </CODE></PRE> <P>The only way i can get a single event is to insert in props.conf, something like,</P> <PRE><CODE>[mysourcetype] BREAK_ONLY_BEFORE = ---ENDDIR </CODE></PRE> <P>So i get my event, with a new one (with pattern of <STRONG>BREAK_ONLY_BEFORE</STRONG> ) then</P> <PRE><CODE>(EVENT#1) 19/07/2017-11:27:12,55 Il volume nell'unità C è OSDisk Numero di serie del volume: F445-8CA0 Directory di c:\ 12/11/2015 16:00 &lt;DIR&gt; adsm.sys 09/07/2013 18:07 &lt;DIR&gt; Applicazioni 09/07/2013 16:28 &lt;DIR&gt; Build 20/01/2015 16:03 &lt;DIR&gt; cygwin 13/06/2017 11:52 &lt;DIR&gt; inetpub 09/07/2013 16:55 &lt;DIR&gt; infappdata 09/07/2013 16:21 &lt;DIR&gt; Intel 09/07/2013 18:07 &lt;DIR&gt; IRN 09/07/2013 18:07 &lt;DIR&gt; JETFORM 09/07/2013 18:03 &lt;DIR&gt; Jfsa 27/11/2015 18:01 &lt;DIR&gt; KVRT_Data 09/07/2013 17:48 &lt;DIR&gt; MQSERIES 14/07/2009 04:37 &lt;DIR&gt; PerfLogs 13/06/2017 12:04 &lt;DIR&gt; Program Files 13/06/2017 12:04 &lt;DIR&gt; ProgramData 02/05/2017 12:33 &lt;DIR&gt; Quarantine 19/07/2017 10:27 &lt;DIR&gt; Temp 19/08/2014 11:02 &lt;DIR&gt; tsm_images 05/07/2017 08:39 &lt;DIR&gt; Users 30/06/2017 12:29 &lt;DIR&gt; Windows 30/06/2017 12:29 &lt;DIR&gt; _logfiles 0 File 0 byte 21 Directory 431.218.503.680 byte disponibili (EVENT#2) ---ENDDIR </CODE></PRE> <P>I also tried a</P> <PRE><CODE>BREAK_ONLY_BEFORE_DATE = False </CODE></PRE> <P>with no results.</P> <P>Any solution?<BR /> Thanks.</P> Tue, 29 Sep 2020 14:56:45 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-index-a-simple-dir-in-Windows-Environment/m-p/316602#M92747 verbal_666 2020-09-29T14:56:45Z Re: How to index a simple dir in Windows Environment https://community.splunk.com/t5/Getting-Data-In/How-to-index-a-simple-dir-in-Windows-Environment/m-p/316603#M92748 <P>try </P> <P>[mysourcetype]<BR /> LINE_BREAKER = ---ENDDIR([\r\n]+)</P> Wed, 19 Jul 2017 14:16:35 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-index-a-simple-dir-in-Windows-Environment/m-p/316603#M92748 WalshyB 2017-07-19T14:16:35Z Re: How to index a simple dir in Windows Environment https://community.splunk.com/t5/Getting-Data-In/How-to-index-a-simple-dir-in-Windows-Environment/m-p/316604#M92749 <P>Works greeeeeeeeeeeeeeeeeeeeeeeeat <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /> Thanks.<BR /> ps. think, i tried a<BR /> <STRONG>LINE_BREAKER = ---ENDDIR</STRONG><BR /> without success before!!! I think i forgot the "carriage return linefeed" <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> thanks again <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 19 Jul 2017 14:36:17 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-index-a-simple-dir-in-Windows-Environment/m-p/316604#M92749 verbal_666 2017-07-19T14:36:17Z Re: How to index a simple dir in Windows Environment https://community.splunk.com/t5/Getting-Data-In/How-to-index-a-simple-dir-in-Windows-Environment/m-p/316605#M92750 <P>you're welcome, try not to put the title in all caps next time <span class="lia-unicode-emoji" title=":winking_face:">😉</span> </P> Wed, 19 Jul 2017 15:03:29 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-index-a-simple-dir-in-Windows-Environment/m-p/316605#M92750 WalshyB 2017-07-19T15:03:29Z Re: How to index a simple dir in Windows Environment https://community.splunk.com/t5/Getting-Data-In/How-to-index-a-simple-dir-in-Windows-Environment/m-p/316606#M92751 <P>Sure <span class="lia-unicode-emoji" title=":winking_face:">😉</span> i promise <span class="lia-unicode-emoji" title=":winking_face:">😉</span> thanks again for the hint...</P> Wed, 19 Jul 2017 16:01:10 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-index-a-simple-dir-in-Windows-Environment/m-p/316606#M92751 verbal_666 2017-07-19T16:01:10Z