Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Custom Sourcetype Challenges
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using splunk 5.0.2 (although tested on splunk 6 as well - same challenges).
We're looking to use splunk to store audits of what software is on our systems. In Windows, we're trying to use "Get-WmiObject -Class Win32_Product" in powershell. This is defined in my inputs.conf as a [script://./bin/script.bat] stanza.
The props.conf for this sourcetype is:
[SloshBurchsSourceType]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)Name
DATETIME_CONFIG = CURRENT
REPORT-SloshBurchsSourceType = SloshBurchsSourceType
A single event in splunk is coming in correctly as a block like this:
Name : Adobe Shockwave Player 12.0
Vendor : Adobe Systems, Inc
Version : 12.0.4.144
Caption : Adobe Shockwave Player 12.0
InstallLocation : C:\Windows\SysWOW64\Adobe\
InstallDate : 20130917
I've set my transforms.conf to
[SloshBurchsSourceType]
DELIMS="\r\n", ":"
This isn't working - I'm not getting any of the fields. I'm guessing it's because of the : in the InstallLocation.
I tried switching to this transform.conf but still nothing. I'm guessing I'm using the regex wrong.
[SloshBurchsSourceType]
REGEX = (?<_KEY_1>.+)\s+:\s+(?<_VALUE_1>.+)
FORMAT = $1::$2
I want my sourcetype to automatically extract any "name : value" pairs from this without me having to list out the field names. I want splunk to dynamically detect the name value pairs in this sourcetype in the same way that is does, out of the box, for "name=value" format.
Any tips? Ideas what I'm doing wrong?
Thanks for any responses!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your LINEBREAKER setting is consuming the "Name" characters at the beginning of the event. I would avoid using LINEBREAKER. Try this instead for props.conf
[SloshBurchsSourceType]
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE = ^Name\s+\:
DATETIME_CONFIG = CURRENT
REPORT-SloshBurchsSourceType = SloshBurchsSourceType
I think that your first version of transforms.conf is probably fine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your LINEBREAKER setting is consuming the "Name" characters at the beginning of the event. I would avoid using LINEBREAKER. Try this instead for props.conf
[SloshBurchsSourceType]
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE = ^Name\s+\:
DATETIME_CONFIG = CURRENT
REPORT-SloshBurchsSourceType = SloshBurchsSourceType
I think that your first version of transforms.conf is probably fine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, since the string "Name:" is actually consumed by your LINEBREAKER setting, it will throw off all the field extractions. That's why I made this recommendation. Plus, your use of LINEBREAKER also makes your data look different in Splunk than it does in the original file, which could throw users off too.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The events were separated correctly. The issue I am facing is how to separate the name : value pairs within the atomic events that I've created. Sorry if that was unclear.
Splunk MCP & Agentic AI: Machine Data Without Limits
Finding Based Detections General Availability
Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience
