Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Conf files — splitting long lines

MikhailArefiev
Explorer
‎04-02-2013 06:26 AM

I am trying to split some really long lines we have put in our .conf files using the traditional Unix way of escaping the linefeed, and get weird errors. If I do

[RenameGeneral]
definition = rename \
           User_Name -> User,\
           Group_Name -> Group

I get a message that says

Error in 'rename' command: Usage: rename [old_name AS/TO/-> new_name]+

However,

[RenameGeneral]
definition = rename User_Name -> User, Group_Name -> Group

works fine.

This is a rather minimal example, our long lines are easily 1000+ characters long.

What is the proper splunkey way to split very long lines in .conf files, if there is any?

Edit: strangely, these two macros behave differently:

[newline_one]
definition = rename _time AS g \
           | eval ones=1

[newline_two]
definition = eval ones=1 \
           | rename _time AS g

The first one gives the error I have quoted above while the second one does what is expected.

Tags (2)
0 Karma
Reply

steven_swor
Path Finder
‎11-19-2014 08:08 PM

I've successfully tested this in inputs.conf for polling SNMP metrics with the SNMP modular input. I used 4 spaces to indent, rather than a tab character.

[snmp://blah_blah_polling]
...
snmp_mode = attributes
object_names = <really_long_oid_1>, \
    <really_long_oid_2>, \
    <really_long_oid_3>, \
    ...

I haven't tested it, but I suspect this might work for rename:

[newline_three]
definition = rename _time AS g | \
    eval ones=1

This is identical to [newline_one] except that the pipe character is before the line break instead of after.

0 Karma
Reply

MikhailArefiev
Explorer
‎04-03-2013 06:19 AM

@Ayn I beg to differ as I have successfully split very long expressions in the same manner as the second expression in the newline example in the edit. The trick is to have rename come last, and do no linebreaks there (including linebreaks in macros involving rename).

0 Karma
Reply

Ayn
Legend
‎04-03-2013 04:09 AM

I don't think you can split expressions over multiple lines in Splunk's config files like this at all.

0 Karma
Reply

MikhailArefiev
Explorer
‎04-03-2013 01:06 AM

@eashwar I have just tried newline and tab (0x0a 0x09), it says Possible typo in stanza [newline_three] in /opt/splunk/etc/system/local/macros.conf, line 25: | eval ones = 1

0 Karma
Reply

eashwar
Communicator
‎04-02-2013 12:50 PM

i hope you can just use enter and tab

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...