Getting Data In

How to index a simple dir in Windows Environment

verbal_666
Builder

Hi guys.
A simple question (i hope 🙂 ).
I need to index in a single event this very very simple Windows .cmd output,

19/07/2017-11:27:12,55
 Il volume nell'unità C è OSDisk
 Numero di serie del volume: F445-8CA0
 Directory di c:\
12/11/2015  16:00    <DIR>          adsm.sys
09/07/2013  18:07    <DIR>          Applicazioni
09/07/2013  16:28    <DIR>          Build
20/01/2015  16:03    <DIR>          cygwin
13/06/2017  11:52    <DIR>          inetpub
09/07/2013  16:55    <DIR>          infappdata
09/07/2013  16:21    <DIR>          Intel
09/07/2013  18:07    <DIR>          IRN
09/07/2013  18:07    <DIR>          JETFORM
09/07/2013  18:03    <DIR>          Jfsa
27/11/2015  18:01    <DIR>          KVRT_Data
09/07/2013  17:48    <DIR>          MQSERIES
14/07/2009  04:37    <DIR>          PerfLogs
13/06/2017  12:04    <DIR>          Program Files
13/06/2017  12:04    <DIR>          ProgramData
02/05/2017  12:33    <DIR>          Quarantine
19/07/2017  10:27    <DIR>          Temp
19/08/2014  11:02    <DIR>          tsm_images
05/07/2017  08:39    <DIR>          Users
30/06/2017  12:29    <DIR>          Windows
30/06/2017  12:29    <DIR>          _logfiles
               0 File              0 byte
              21 Directory  431.218.503.680 byte disponibili
---ENDDIR

Now, with default Splunk conf files (props), INDEXER split each line in 1 event, and stops at first new TIMESTAMP,

EVENT#1    19/07/2017-11:27:12,55
EVENT#2     Il volume nell'unità C è OSDisk
EVENT#3     Numero di serie del volume: F445-8CA0
EVENT#4     Directory di c:\

The only way i can get a single event is to insert in props.conf, something like,

[mysourcetype]
BREAK_ONLY_BEFORE = ---ENDDIR

So i get my event, with a new one (with pattern of BREAK_ONLY_BEFORE ) then

(EVENT#1) 19/07/2017-11:27:12,55
  Il volume nell'unità C è OSDisk
  Numero di serie del volume: F445-8CA0
  Directory di c:\
 12/11/2015  16:00    <DIR>          adsm.sys
 09/07/2013  18:07    <DIR>          Applicazioni
 09/07/2013  16:28    <DIR>          Build
 20/01/2015  16:03    <DIR>          cygwin
 13/06/2017  11:52    <DIR>          inetpub
 09/07/2013  16:55    <DIR>          infappdata
 09/07/2013  16:21    <DIR>          Intel
 09/07/2013  18:07    <DIR>          IRN
 09/07/2013  18:07    <DIR>          JETFORM
 09/07/2013  18:03    <DIR>          Jfsa
 27/11/2015  18:01    <DIR>          KVRT_Data
 09/07/2013  17:48    <DIR>          MQSERIES
 14/07/2009  04:37    <DIR>          PerfLogs
 13/06/2017  12:04    <DIR>          Program Files
 13/06/2017  12:04    <DIR>          ProgramData
 02/05/2017  12:33    <DIR>          Quarantine
 19/07/2017  10:27    <DIR>          Temp
 19/08/2014  11:02    <DIR>          tsm_images
 05/07/2017  08:39    <DIR>          Users
 30/06/2017  12:29    <DIR>          Windows
 30/06/2017  12:29    <DIR>          _logfiles
                0 File              0 byte
               21 Directory  431.218.503.680 byte disponibili

(EVENT#2) ---ENDDIR

I also tried a

BREAK_ONLY_BEFORE_DATE = False

with no results.

Any solution?
Thanks.

Tags (2)
0 Karma
1 Solution

WalshyB
SplunkTrust
SplunkTrust

try

[mysourcetype]
LINE_BREAKER = ---ENDDIR([\r\n]+)

View solution in original post

0 Karma

WalshyB
SplunkTrust
SplunkTrust

try

[mysourcetype]
LINE_BREAKER = ---ENDDIR([\r\n]+)

0 Karma

verbal_666
Builder

Works greeeeeeeeeeeeeeeeeeeeeeeeat 🙂
Thanks.
ps. think, i tried a
LINE_BREAKER = ---ENDDIR
without success before!!! I think i forgot the "carriage return linefeed" 🙂 thanks again 🙂

0 Karma

WalshyB
SplunkTrust
SplunkTrust

you're welcome, try not to put the title in all caps next time 😉

0 Karma

verbal_666
Builder

Sure 😉 i promise 😉 thanks again for the hint...

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...