Getting Data In

Conf files — splitting long lines

MikhailArefiev
Explorer

I am trying to split some really long lines we have put in our .conf files using the traditional Unix way of escaping the linefeed, and get weird errors. If I do

[RenameGeneral]
definition = rename \
           User_Name -> User,\
           Group_Name -> Group

I get a message that says

Error in 'rename' command: Usage: rename [old_name AS/TO/-> new_name]+

However,

[RenameGeneral]
definition = rename User_Name -> User, Group_Name -> Group

works fine.

This is a rather minimal example, our long lines are easily 1000+ characters long.

What is the proper splunkey way to split very long lines in .conf files, if there is any?

Edit: strangely, these two macros behave differently:

[newline_one]
definition = rename _time AS g \
           | eval ones=1

[newline_two]
definition = eval ones=1 \
           | rename _time AS g

The first one gives the error I have quoted above while the second one does what is expected.

Tags (2)
0 Karma

steven_swor
Path Finder

I've successfully tested this in inputs.conf for polling SNMP metrics with the SNMP modular input. I used 4 spaces to indent, rather than a tab character.

[snmp://blah_blah_polling]
...
snmp_mode = attributes
object_names = <really_long_oid_1>, \
    <really_long_oid_2>, \
    <really_long_oid_3>, \
    ...

I haven't tested it, but I suspect this might work for rename:

[newline_three]
definition = rename _time AS g | \
    eval ones=1

This is identical to [newline_one] except that the pipe character is before the line break instead of after.

0 Karma

MikhailArefiev
Explorer

@Ayn I beg to differ as I have successfully split very long expressions in the same manner as the second expression in the newline example in the edit. The trick is to have rename come last, and do no linebreaks there (including linebreaks in macros involving rename).

0 Karma

Ayn
Legend

I don't think you can split expressions over multiple lines in Splunk's config files like this at all.

0 Karma

MikhailArefiev
Explorer

@eashwar I have just tried newline and tab (0x0a 0x09), it says Possible typo in stanza [newline_three] in /opt/splunk/etc/system/local/macros.conf, line 25: | eval ones = 1

0 Karma

eashwar
Communicator

i hope you can just use enter and tab

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...