Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to index a conf file like below

ballu611
New Member
‎02-11-2014 04:32 PM

Can you help me write a regex to index a configuraton file like below. There are no time stamps in it. Anything in < ....> and </ ....> is a event.

< setup>
loglevel = 0
logfile = net_connect.log
interval = 10
max_threads = 10
icmp_burst = 3
icmp_timeout = 2
icmp_size = 32
qos_interval = 10min
bind = no
< /setup>
< profiles>
< abbpenwscac25.test.com>
active = yes
QoS = yes
ping = yes
interval = 5min
hostname = abbpenwscac25.test.com
ip = 10.21.225.35
timeout = 10
failures = 2
retries = 2
msg_ok = MsgConnectOk
msg_fail = MsgConnectFail
source = 0
target = 2
icmp_size = 0
flags = 0
group = origin:Network;class:12db_ci_netgear;
contactinfo = Network Services
alarm = 3
icmp_threshold = 2000
alarm_on_packet_loss = no
packets_to_send = 0
max_packets_lost = 0
qos_on_packets_lost = no
delay_between_packet_to_send = 0
< /abbpenwscac25.test.com>
< abbpenwscac26.test.com>
active = yes
QoS = yes
ping = yes
interval = 5min
hostname = abbpenwscac26.test.com
ip = 10.21.225.36
timeout = 10
failures = 2
retries = 2
msg_ok = MsgConnectOk
msg_fail = MsgConnectFail
source = 0
target = 2
icmp_size = 0
flags = 0
group = origin:Network;class:12db_ci_netgear;
contactinfo = Network Services
alarm = 3
icmp_threshold = 2000
alarm_on_packet_loss = no
packets_to_send = 0
max_packets_lost = 0
qos_on_packets_lost = no
delay_between_packet_to_send = 0
< /abbpenwscac26.test.com>
< /profiles>

0 Karma
Reply

ballu611
New Member
‎02-12-2014 07:54 AM

Yes, they are supposed to be abbpenwscac25.test.com and abbpenwscac26.test.com.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎02-11-2014 05:13 PM

Data preview is your best friend.
http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Overviewofdatapreview

Are you events supposed to be : abbpenwscac25.test.com and abbpenwscac26.test.com ?

[EDIT]
example :
Try this sourcetype definition in props.conf
`
[mysourcetype]
BREAK_ONLY_BEFORE=^<
# to start after opening html tags.
BREAK_ONLY_BEFORE_DATE=false
MUST_BREAK_AFTER=<./.*>$
# to break after closing html tags
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true

# for the timestamp, you can use the index time
DATETIME_CONFIG = CURRENT
`

and test with data preview

alt text

0 Karma
Reply

ballu611
New Member
‎02-12-2014 07:55 AM

Yes, they are supposed to be abbpenwscac25.test.com and abbpenwscac26.test.com.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...