Getting Data In

Disabling line breaking not working

mundus
Path Finder

I'm trying to index a bunch of plugin files such that each file is a single event. I've tried almost every combination of the following options without success. Splunk still treats every line as a separate event. I'm running the latest 4.2.3 build. I feel like this was working eight months ago when last I played with it, but it seems to be broken now.

[nessus_plugins]

TRUNCATE = 0

SHOULD_LINEMERGE = false

BREAK_ONLY_BEFORE = ABCDEFGHIJKLMNOP1234567890

LINE_BREAKER = (?!)

I'm noticing that events indexed last year are working, but newly indexed events are not being broken properly.

The files are XML formatted. I remember reading that there were some changes to how XML inputs are indexed in some of the later versions.
Thanks.

Tags (1)

tgow
Splunk Employee
Splunk Employee

Excellent glad you figured your own problem out.

0 Karma

mundus
Path Finder

Not sure if this is the correct answer or not...

I added the following to the stanza for the input:

crcSalt =

I deleted the main index and the fishbucket and it looks like it is obeying the line breaking as expected.

tgow
Splunk Employee
Splunk Employee

Any way that you could post some of the data? Can you clean it up if there is anything company specific in it? Just post a couple of events.

0 Karma

mundus
Path Finder

I notice that all the plugins get overwritten each time they are updated. Maybe there's something I need to tweak in inputs.conf...?

0 Karma

mundus
Path Finder

Sure. They're standard Nessus 4 NASL scripts. Here's a snippet:

if (!defined_func("bn_random")) exit(0);

include("compat.inc");

if (description)
{
script_id(20614);
script_version("$Revision: 1.9 $");
script_cvs_date("$Date: 2011/10/21 11:16:48 $");

script_cve_id("CVE-2004-0889");
script_xref(name:"USN", value:"2-1");

script_name(english:"USN-2-1 : xpdf vulnerabilities");
script_summary(english:"Checks dpkg output for updated package(s)");

script_set_attribute(attribute:"synopsis", value:

0 Karma

tgow
Splunk Employee
Splunk Employee

What happens if you change this to the following:

SHOULD_LINEMERGE = True

You will probably have to decide between BREAK_ONLY_BEFORE or LINE_BREAKER but not both.

0 Karma

mundus
Path Finder

Nope. That didn't work.

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...