I'm trying to index a bunch of plugin files such that each file is a single event. I've tried almost every combination of the following options without success. Splunk still treats every line as a separate event. I'm running the latest 4.2.3 build. I feel like this was working eight months ago when last I played with it, but it seems to be broken now.
TRUNCATE = 0
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE = ABCDEFGHIJKLMNOP1234567890
LINE_BREAKER = (?!)
I'm noticing that events indexed last year are working, but newly indexed events are not being broken properly.
The files are XML formatted. I remember reading that there were some changes to how XML inputs are indexed in some of the later versions.
Not sure if this is the correct answer or not...
I added the following to the stanza for the input:
I deleted the main index and the fishbucket and it looks like it is obeying the line breaking as expected.
Sure. They're standard Nessus 4 NASL scripts. Here's a snippet:
if (!defined_func("bn_random")) exit(0);
script_version("$Revision: 1.9 $");
script_cvs_date("$Date: 2011/10/21 11:16:48 $");
script_name(english:"USN-2-1 : xpdf vulnerabilities");
script_summary(english:"Checks dpkg output for updated package(s)");