Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to index a conf file like below

ballu611
New Member
‎02-11-2014 04:32 PM

Can you help me write a regex to index a configuraton file like below. There are no time stamps in it. Anything in < ....> and </ ....> is a event.

< setup>
loglevel = 0
logfile = net_connect.log
interval = 10
max_threads = 10
icmp_burst = 3
icmp_timeout = 2
icmp_size = 32
qos_interval = 10min
bind = no
< /setup>
< profiles>
< abbpenwscac25.test.com>
active = yes
QoS = yes
ping = yes
interval = 5min
hostname = abbpenwscac25.test.com
ip = 10.21.225.35
timeout = 10
failures = 2
retries = 2
msg_ok = MsgConnectOk
msg_fail = MsgConnectFail
source = 0
target = 2
icmp_size = 0
flags = 0
group = origin:Network;class:12db_ci_netgear;
contactinfo = Network Services
alarm = 3
icmp_threshold = 2000
alarm_on_packet_loss = no
packets_to_send = 0
max_packets_lost = 0
qos_on_packets_lost = no
delay_between_packet_to_send = 0
< /abbpenwscac25.test.com>
< abbpenwscac26.test.com>
active = yes
QoS = yes
ping = yes
interval = 5min
hostname = abbpenwscac26.test.com
ip = 10.21.225.36
timeout = 10
failures = 2
retries = 2
msg_ok = MsgConnectOk
msg_fail = MsgConnectFail
source = 0
target = 2
icmp_size = 0
flags = 0
group = origin:Network;class:12db_ci_netgear;
contactinfo = Network Services
alarm = 3
icmp_threshold = 2000
alarm_on_packet_loss = no
packets_to_send = 0
max_packets_lost = 0
qos_on_packets_lost = no
delay_between_packet_to_send = 0
< /abbpenwscac26.test.com>
< /profiles>

0 Karma
Reply

ballu611
New Member
‎02-12-2014 07:54 AM

Yes, they are supposed to be abbpenwscac25.test.com and abbpenwscac26.test.com.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎02-11-2014 05:13 PM

Data preview is your best friend.
http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Overviewofdatapreview

Are you events supposed to be : abbpenwscac25.test.com and abbpenwscac26.test.com ?

[EDIT]
example :
Try this sourcetype definition in props.conf
`
[mysourcetype]
BREAK_ONLY_BEFORE=^<
# to start after opening html tags.
BREAK_ONLY_BEFORE_DATE=false
MUST_BREAK_AFTER=<./.*>$
# to break after closing html tags
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true

# for the timestamp, you can use the index time
DATETIME_CONFIG = CURRENT
`

and test with data preview

alt text

0 Karma
Reply

ballu611
New Member
‎02-12-2014 07:55 AM

Yes, they are supposed to be abbpenwscac25.test.com and abbpenwscac26.test.com.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk &#43; Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...

Data Management Digest – January 2026

Welcome to the January 2026 edition of Data Management Digest! Welcome to the January 2026 edition of Data ...

Splunk SOAR Now Available on Google Cloud Platform

We’re excited to announce that Splunk SOAR is now natively available as a SaaS solution on Google Cloud ...