Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to index a conf file like below

ballu611
New Member
‎02-11-2014 04:32 PM

Can you help me write a regex to index a configuraton file like below. There are no time stamps in it. Anything in < ....> and </ ....> is a event.

< setup>
loglevel = 0
logfile = net_connect.log
interval = 10
max_threads = 10
icmp_burst = 3
icmp_timeout = 2
icmp_size = 32
qos_interval = 10min
bind = no
< /setup>
< profiles>
< abbpenwscac25.test.com>
active = yes
QoS = yes
ping = yes
interval = 5min
hostname = abbpenwscac25.test.com
ip = 10.21.225.35
timeout = 10
failures = 2
retries = 2
msg_ok = MsgConnectOk
msg_fail = MsgConnectFail
source = 0
target = 2
icmp_size = 0
flags = 0
group = origin:Network;class:12db_ci_netgear;
contactinfo = Network Services
alarm = 3
icmp_threshold = 2000
alarm_on_packet_loss = no
packets_to_send = 0
max_packets_lost = 0
qos_on_packets_lost = no
delay_between_packet_to_send = 0
< /abbpenwscac25.test.com>
< abbpenwscac26.test.com>
active = yes
QoS = yes
ping = yes
interval = 5min
hostname = abbpenwscac26.test.com
ip = 10.21.225.36
timeout = 10
failures = 2
retries = 2
msg_ok = MsgConnectOk
msg_fail = MsgConnectFail
source = 0
target = 2
icmp_size = 0
flags = 0
group = origin:Network;class:12db_ci_netgear;
contactinfo = Network Services
alarm = 3
icmp_threshold = 2000
alarm_on_packet_loss = no
packets_to_send = 0
max_packets_lost = 0
qos_on_packets_lost = no
delay_between_packet_to_send = 0
< /abbpenwscac26.test.com>
< /profiles>

0 Karma
Reply

ballu611
New Member
‎02-12-2014 07:54 AM

Yes, they are supposed to be abbpenwscac25.test.com and abbpenwscac26.test.com.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎02-11-2014 05:13 PM

Data preview is your best friend.
http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Overviewofdatapreview

Are you events supposed to be : abbpenwscac25.test.com and abbpenwscac26.test.com ?

[EDIT]
example :
Try this sourcetype definition in props.conf
`
[mysourcetype]
BREAK_ONLY_BEFORE=^<
# to start after opening html tags.
BREAK_ONLY_BEFORE_DATE=false
MUST_BREAK_AFTER=<./.*>$
# to break after closing html tags
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true

# for the timestamp, you can use the index time
DATETIME_CONFIG = CURRENT
`

and test with data preview

alt text

0 Karma
Reply

ballu611
New Member
‎02-12-2014 07:55 AM

Yes, they are supposed to be abbpenwscac25.test.com and abbpenwscac26.test.com.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...