I'm trying to index a bunch of plugin files such that each file is a single event. I've tried almost every combination of the following options without success. Splunk still treats every line as a separate event. I'm running the latest 4.2.3 build. I feel like this was working eight months ago when last I played with it, but it seems to be broken now.
[nessus_plugins]
TRUNCATE = 0
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE = ABCDEFGHIJKLMNOP1234567890
LINE_BREAKER = (?!)
I'm noticing that events indexed last year are working, but newly indexed events are not being broken properly.
The files are XML formatted. I remember reading that there were some changes to how XML inputs are indexed in some of the later versions.
Thanks.
Excellent glad you figured your own problem out.
Not sure if this is the correct answer or not...
I added the following to the stanza for the input:
crcSalt =
I deleted the main index and the fishbucket and it looks like it is obeying the line breaking as expected.
Any way that you could post some of the data? Can you clean it up if there is anything company specific in it? Just post a couple of events.
I notice that all the plugins get overwritten each time they are updated. Maybe there's something I need to tweak in inputs.conf...?
Sure. They're standard Nessus 4 NASL scripts. Here's a snippet:
if (!defined_func("bn_random")) exit(0);
include("compat.inc");
if (description)
{
script_id(20614);
script_version("$Revision: 1.9 $");
script_cvs_date("$Date: 2011/10/21 11:16:48 $");
script_cve_id("CVE-2004-0889");
script_xref(name:"USN", value:"2-1");
script_name(english:"USN-2-1 : xpdf vulnerabilities");
script_summary(english:"Checks dpkg output for updated package(s)");
script_set_attribute(attribute:"synopsis", value:
What happens if you change this to the following:
SHOULD_LINEMERGE = True
You will probably have to decide between BREAK_ONLY_BEFORE or LINE_BREAKER but not both.
Nope. That didn't work.