Getting Data In

How to index a simple dir in Windows Environment

verbal_666
Builder

Hi guys.
A simple question (i hope 🙂 ).
I need to index in a single event this very very simple Windows .cmd output,

19/07/2017-11:27:12,55
 Il volume nell'unità C è OSDisk
 Numero di serie del volume: F445-8CA0
 Directory di c:\
12/11/2015  16:00    <DIR>          adsm.sys
09/07/2013  18:07    <DIR>          Applicazioni
09/07/2013  16:28    <DIR>          Build
20/01/2015  16:03    <DIR>          cygwin
13/06/2017  11:52    <DIR>          inetpub
09/07/2013  16:55    <DIR>          infappdata
09/07/2013  16:21    <DIR>          Intel
09/07/2013  18:07    <DIR>          IRN
09/07/2013  18:07    <DIR>          JETFORM
09/07/2013  18:03    <DIR>          Jfsa
27/11/2015  18:01    <DIR>          KVRT_Data
09/07/2013  17:48    <DIR>          MQSERIES
14/07/2009  04:37    <DIR>          PerfLogs
13/06/2017  12:04    <DIR>          Program Files
13/06/2017  12:04    <DIR>          ProgramData
02/05/2017  12:33    <DIR>          Quarantine
19/07/2017  10:27    <DIR>          Temp
19/08/2014  11:02    <DIR>          tsm_images
05/07/2017  08:39    <DIR>          Users
30/06/2017  12:29    <DIR>          Windows
30/06/2017  12:29    <DIR>          _logfiles
               0 File              0 byte
              21 Directory  431.218.503.680 byte disponibili
---ENDDIR

Now, with default Splunk conf files (props), INDEXER split each line in 1 event, and stops at first new TIMESTAMP,

EVENT#1    19/07/2017-11:27:12,55
EVENT#2     Il volume nell'unità C è OSDisk
EVENT#3     Numero di serie del volume: F445-8CA0
EVENT#4     Directory di c:\

The only way i can get a single event is to insert in props.conf, something like,

[mysourcetype]
BREAK_ONLY_BEFORE = ---ENDDIR

So i get my event, with a new one (with pattern of BREAK_ONLY_BEFORE ) then

(EVENT#1) 19/07/2017-11:27:12,55
  Il volume nell'unità C è OSDisk
  Numero di serie del volume: F445-8CA0
  Directory di c:\
 12/11/2015  16:00    <DIR>          adsm.sys
 09/07/2013  18:07    <DIR>          Applicazioni
 09/07/2013  16:28    <DIR>          Build
 20/01/2015  16:03    <DIR>          cygwin
 13/06/2017  11:52    <DIR>          inetpub
 09/07/2013  16:55    <DIR>          infappdata
 09/07/2013  16:21    <DIR>          Intel
 09/07/2013  18:07    <DIR>          IRN
 09/07/2013  18:07    <DIR>          JETFORM
 09/07/2013  18:03    <DIR>          Jfsa
 27/11/2015  18:01    <DIR>          KVRT_Data
 09/07/2013  17:48    <DIR>          MQSERIES
 14/07/2009  04:37    <DIR>          PerfLogs
 13/06/2017  12:04    <DIR>          Program Files
 13/06/2017  12:04    <DIR>          ProgramData
 02/05/2017  12:33    <DIR>          Quarantine
 19/07/2017  10:27    <DIR>          Temp
 19/08/2014  11:02    <DIR>          tsm_images
 05/07/2017  08:39    <DIR>          Users
 30/06/2017  12:29    <DIR>          Windows
 30/06/2017  12:29    <DIR>          _logfiles
                0 File              0 byte
               21 Directory  431.218.503.680 byte disponibili

(EVENT#2) ---ENDDIR

I also tried a

BREAK_ONLY_BEFORE_DATE = False

with no results.

Any solution?
Thanks.

Tags (2)
0 Karma
1 Solution

WalshyB
Path Finder

try

[mysourcetype]
LINE_BREAKER = ---ENDDIR([\r\n]+)

View solution in original post

0 Karma

WalshyB
Path Finder

try

[mysourcetype]
LINE_BREAKER = ---ENDDIR([\r\n]+)

0 Karma

verbal_666
Builder

Works greeeeeeeeeeeeeeeeeeeeeeeeat 🙂
Thanks.
ps. think, i tried a
LINE_BREAKER = ---ENDDIR
without success before!!! I think i forgot the "carriage return linefeed" 🙂 thanks again 🙂

0 Karma

WalshyB
Path Finder

you're welcome, try not to put the title in all caps next time 😉

0 Karma

verbal_666
Builder

Sure 😉 i promise 😉 thanks again for the hint...

0 Karma
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...