topic Re: How do you edit props.conf to correctly parse data from a PowerShell script? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-do-you-edit-props-conf-to-correctly-parse-data-from-a/m-p/438978#M124917 <P>Thank you both for you advise, I did a little tweaking and the final setting that got it working were</P> <P>[activebatch]<BR /> BREAK_ONLY_BEFORE = AbatInstanceID<BR /> SHOULD_LINEMERGE = true<BR /> CHARSET = ASCII<BR /> DATETIME_CONFIG = <BR /> LINE_BREAKER = AbatInstanceID<BR /> NO_BINARY_CHECK = true<BR /> TIME_FORMAT = %m/%d/%Y %H:%M:%S<BR /> TIME_PREFIX = AbatStartTime=<BR /> TZ = America/New_York<BR /> category = Custom<BR /> pulldown_type = true</P> Tue, 29 Sep 2020 23:04:00 GMT ckeller2791 2020-09-29T23:04:00Z How do you edit props.conf to correctly parse data from a PowerShell script? https://community.splunk.com/t5/Splunk-Search/How-do-you-edit-props-conf-to-correctly-parse-data-from-a/m-p/438975#M124914 <P>I have a powershell script which feeds data into Splunk via a UDP port. The output of the script is as follows:</P> <PRE><CODE>AbatInstanceID=32107862 AbatBatchID=32107825 AbatPlanName=ABM - Partner Remittance Loader -ASOBilling AbatJobName=Execute Java partnerRemittanceLoader AbatJobPath=/HXSPRD01/Promotable Objects/Plans/Business Processes/ABM/ABM - Partner Remittance Loader -ASOBilling AbatStatus=Successful AbatQueue=ExecutionQ1 HXSPRD01 AbatStartTime=01/31/2019 11:00:10 AbatEndTime=01/31/2019 11:00:36 AbatElapsedTime=0:0:0:23 AbatLogFile=\\CO1-BAXPRD01\ASCI_ABATLOG\CO1BASPRD01\ExecutionQ1 HXSPRD01\Execute Java partnerRemittanceLoader_0032107862-31Jan2019-160001_001.log </CODE></PRE> <P>When the data is ingested into Splunk, it treats that input as two separate events splitting on the line where <CODE>AbatStartTime</CODE> and <CODE>AbatEndTime</CODE> are located due to there being two different date/time stamps. I am having trouble nailing down the correct regex syntax for parsing <CODE>AbatStartTime</CODE> as the official timestamp for the event. I have the powershell script output a double carriage return to separate the event. My <CODE>sourcetype</CODE> config is as follows</P> <PRE><CODE>CHARSET = ASCII BREAK_ONLY_BERFORE = ([\r\n\r\n]+) LINE_BREAK = ([\r\n]+) MAX_TIMESTAMP_LOOKAHEAD = 150 NO_BINARY_CHECK = true SHOULD_LINEMERGE = false TIME_PREFIX = ^AbatStartTime=\s TZ = America/New_York category = Custom pulldown_type = true </CODE></PRE> <P>Any assistance would be appreciated.</P> Thu, 31 Jan 2019 16:35:53 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-edit-props-conf-to-correctly-parse-data-from-a/m-p/438975#M124914 ckeller2791 2019-01-31T16:35:53Z Re: How do you edit props.conf to correctly parse data from a PowerShell script? https://community.splunk.com/t5/Splunk-Search/How-do-you-edit-props-conf-to-correctly-parse-data-from-a/m-p/438976#M124915 <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6471iB2B812E2680582FA/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>I think your sourcetype should be like this : </P> <PRE><CODE>[ sourcetypename] SHOULD_LINEMERGE=true CHARSET=ASCII BREAK_ONLY_BEFORE=AbatInstanceID TIME_PREFIX=AbatStartTime= TIME_FORMAT=%m/%d/%Y %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD=150 </CODE></PRE> Thu, 31 Jan 2019 18:03:11 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-edit-props-conf-to-correctly-parse-data-from-a/m-p/438976#M124915 mayurr98 2019-01-31T18:03:11Z Re: How do you edit props.conf to correctly parse data from a PowerShell script? https://community.splunk.com/t5/Splunk-Search/How-do-you-edit-props-conf-to-correctly-parse-data-from-a/m-p/438977#M124916 <P>You almost certainly have too many settings that are likely to cause problems. Try this ONLY:</P> <PRE><CODE>SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n\r\n]+) NO_BINARY_CHECK = true TIME_PREFIX = [\r\n]+AbatStartTime\s*=\s* TIME_FORMAT = %m/%d/%Y %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD = 19 TZ = America/New_York category = Custom </CODE></PRE> Fri, 01 Feb 2019 00:11:48 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-edit-props-conf-to-correctly-parse-data-from-a/m-p/438977#M124916 woodcock 2019-02-01T00:11:48Z Re: How do you edit props.conf to correctly parse data from a PowerShell script? https://community.splunk.com/t5/Splunk-Search/How-do-you-edit-props-conf-to-correctly-parse-data-from-a/m-p/438978#M124917 <P>Thank you both for you advise, I did a little tweaking and the final setting that got it working were</P> <P>[activebatch]<BR /> BREAK_ONLY_BEFORE = AbatInstanceID<BR /> SHOULD_LINEMERGE = true<BR /> CHARSET = ASCII<BR /> DATETIME_CONFIG = <BR /> LINE_BREAKER = AbatInstanceID<BR /> NO_BINARY_CHECK = true<BR /> TIME_FORMAT = %m/%d/%Y %H:%M:%S<BR /> TIME_PREFIX = AbatStartTime=<BR /> TZ = America/New_York<BR /> category = Custom<BR /> pulldown_type = true</P> Tue, 29 Sep 2020 23:04:00 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-edit-props-conf-to-correctly-parse-data-from-a/m-p/438978#M124917 ckeller2791 2020-09-29T23:04:00Z