Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create one event per line in scripted innput

bigtyma
Communicator
‎04-01-2013 09:21 AM

I have a scripted file input that is tailing a log file, unfortunately events are not being broken out correctly. I would like one event per line.

Ideas?

Inputs.conf below:

[script://D:\Splunk\etc\apps\sos\bin\sospowershell.cmd oaintfep03.ps1]
disabled = false
index = main
interval = 90
source = oaintfep03
sourcetype = ps

[Sample of data below]

USERENV(dcf8.5ae8) 17:53:05:315 LoadUserProfile: NULL server name
USERENV(dcf8.5ae8) 17:53:05:315 LoadUserProfile: no thread token found, impersonating self.
USERENV(dcf8.5ae8) 17:53:05:315 GetInterface: Returning rpc binding handle
USERENV(364.20c8) 17:53:05:315 IProfileSecurityCallBack: client authenticated.
USERENV(364.20c8) 17:53:05:315 MIDL_user_allocate enter
USERENV(364.20c8) 17:53:05:315 DropClientContext: Got client token 000009B8, sid = S-1-5-18
USERENV(364.20c8) 17:53:05:315 MIDL_user_allocate enter
USERENV(364.20c8) 17:53:05:315 DropClientContext: load profile object successfully made
USERENV(364.20c8) 17:53:05:315 DropClientContext: Returning 0
USERENV(364.20c8) 17:53:05:331 MIDL_user_free enter
USERENV(dcf8.5ae8) 17:53:05:331 LoadUserProfile: Calling DropClientToken (as self) succeeded
USERENV(dcf8.5ae8) 17:53:05:331 CProfileDialog::Initialize : Cookie generated <917DE8361C59FB6371FF057477808B96>
USERENV(dcf8.5ae8) 17:53:05:331 CProfileDialog::Initialize : Endpoint generated <IProfileDialog_CE7806EEC5C36D56A877F1B2156E21BB>
USERENV(364.102f8) 17:53:05:331 IProfileSecurityCallBack: client authenticated.
USERENV(364.102f8) 17:53:05:331 MIDL_user_allocate enter
USERENV(364.102f8) 17:53:05:331 LoadUserProfileI: RPC end point IProfileDialog_CE7806EEC5C36D56A877F1B2156E21BB
USERENV(364.102f8) 17:53:05:331 In LoadUserProfileP
USERENV(364.102f8) 17:53:05:331 LoadUserProfile: Running as client, sid = S-1-5-18
USERENV(364.102f8) 17:53:05:331 =========================================================
USERENV(364.102f8) 17:53:05:331 LoadUserProfile: Entering, hToken = <0xd80>, lpProfileInfo = 0x207bb80
USERENV(364.102f8) 17:53:05:331 LoadUserProfile: lpProfileInfo->dwFlags = <0x0>

Tags (1)
0 Karma
Reply

bigtyma
Communicator
‎04-01-2013 09:52 AM

ps is for Powershell, I am on windows.

Changing props.conf fixed that issue, however my event is now 257 lines long. Should I use max events = 1 to get one event per line?

Using a file monitor had issues since it detected my file as binary, the files are encoded in unicode and I am able to tail the file in the correct encoding in Powershell. It could be better but this mostly works.

I appreciate your help.

0 Karma
Reply

lguinn2
Legend
‎04-01-2013 09:38 AM

First, if you have the Splunk *NIX app installed, there is already a sourcetype named ps - and it doesn't match what you are doing here. So if you are using the *NIX app (or think you might in the future), I suggest that you pick a different name for your sourcetype. That might solve the problem altogether, but if it doesn't:

Create the following stanza in props.conf (or add to an existing one):

props.conf

[yoursourcetypename]
SHOULD_LINEMERGE=false

Be sure that you put this props.conf on your indexer (or wherever the data is parsed).

PS - why are you using a scripted input to tail a log file? I would think that a monitor input would be preferable...

Reply

gfuente
Motivator
‎04-01-2013 09:38 AM

Hello

Edit or create your props.conf file and add:

[ps]
SHOULD_LINEMERGE=false

That should force one event per line

Regards

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...