Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to index a conf file like below

ballu611
New Member
‎02-11-2014 04:32 PM

Can you help me write a regex to index a configuraton file like below. There are no time stamps in it. Anything in < ....> and </ ....> is a event.

< setup>
loglevel = 0
logfile = net_connect.log
interval = 10
max_threads = 10
icmp_burst = 3
icmp_timeout = 2
icmp_size = 32
qos_interval = 10min
bind = no
< /setup>
< profiles>
< abbpenwscac25.test.com>
active = yes
QoS = yes
ping = yes
interval = 5min
hostname = abbpenwscac25.test.com
ip = 10.21.225.35
timeout = 10
failures = 2
retries = 2
msg_ok = MsgConnectOk
msg_fail = MsgConnectFail
source = 0
target = 2
icmp_size = 0
flags = 0
group = origin:Network;class:12db_ci_netgear;
contactinfo = Network Services
alarm = 3
icmp_threshold = 2000
alarm_on_packet_loss = no
packets_to_send = 0
max_packets_lost = 0
qos_on_packets_lost = no
delay_between_packet_to_send = 0
< /abbpenwscac25.test.com>
< abbpenwscac26.test.com>
active = yes
QoS = yes
ping = yes
interval = 5min
hostname = abbpenwscac26.test.com
ip = 10.21.225.36
timeout = 10
failures = 2
retries = 2
msg_ok = MsgConnectOk
msg_fail = MsgConnectFail
source = 0
target = 2
icmp_size = 0
flags = 0
group = origin:Network;class:12db_ci_netgear;
contactinfo = Network Services
alarm = 3
icmp_threshold = 2000
alarm_on_packet_loss = no
packets_to_send = 0
max_packets_lost = 0
qos_on_packets_lost = no
delay_between_packet_to_send = 0
< /abbpenwscac26.test.com>
< /profiles>

0 Karma
Reply

ballu611
New Member
‎02-12-2014 07:54 AM

Yes, they are supposed to be abbpenwscac25.test.com and abbpenwscac26.test.com.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎02-11-2014 05:13 PM

Data preview is your best friend.
http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Overviewofdatapreview

Are you events supposed to be : abbpenwscac25.test.com and abbpenwscac26.test.com ?

[EDIT]
example :
Try this sourcetype definition in props.conf
`
[mysourcetype]
BREAK_ONLY_BEFORE=^<
# to start after opening html tags.
BREAK_ONLY_BEFORE_DATE=false
MUST_BREAK_AFTER=<./.*>$
# to break after closing html tags
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true

# for the timestamp, you can use the index time
DATETIME_CONFIG = CURRENT
`

and test with data preview

alt text

0 Karma
Reply

ballu611
New Member
‎02-12-2014 07:55 AM

Yes, they are supposed to be abbpenwscac25.test.com and abbpenwscac26.test.com.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...