I am trying to split some really long lines we have put in our .conf
files using the traditional Unix way of escaping the linefeed, and get weird errors. If I do
[RenameGeneral]
definition = rename \
User_Name -> User,\
Group_Name -> Group
I get a message that says
Error in 'rename' command: Usage: rename [old_name AS/TO/-> new_name]+
However,
[RenameGeneral]
definition = rename User_Name -> User, Group_Name -> Group
works fine.
This is a rather minimal example, our long lines are easily 1000+ characters long.
What is the proper splunkey way to split very long lines in .conf
files, if there is any?
Edit: strangely, these two macros behave differently:
[newline_one]
definition = rename _time AS g \
| eval ones=1
[newline_two]
definition = eval ones=1 \
| rename _time AS g
The first one gives the error I have quoted above while the second one does what is expected.
I've successfully tested this in inputs.conf
for polling SNMP metrics with the SNMP modular input. I used 4 spaces to indent, rather than a tab character.
[snmp://blah_blah_polling]
...
snmp_mode = attributes
object_names = <really_long_oid_1>, \
<really_long_oid_2>, \
<really_long_oid_3>, \
...
I haven't tested it, but I suspect this might work for rename
:
[newline_three]
definition = rename _time AS g | \
eval ones=1
This is identical to [newline_one]
except that the pipe character is before the line break instead of after.
@Ayn I beg to differ as I have successfully split very long expressions in the same manner as the second expression in the newline example in the edit. The trick is to have rename
come last, and do no linebreaks there (including linebreaks in macros involving rename
).
I don't think you can split expressions over multiple lines in Splunk's config files like this at all.
@eashwar I have just tried newline and tab (0x0a 0x09), it says Possible typo in stanza [newline_three] in /opt/splunk/etc/system/local/macros.conf, line 25: | eval ones = 1
i hope you can just use enter and tab