I have scripted input from PowerShell coming in nicely. The script can generate 1-100 possible results which are formatted like so
So it pretty clean. But I can end up with near 100 of those blocks. These need to be broken up into seperate events in Splunk. I THINK that is done with Props.conf, I don't honestly use Splunk enough to know for sure.
So what would my props conf look like? Can someone point me to a working example of breaking up a scripted input?
Here is an example of the logs coming into splunk and the props.conf file I created
C:\Windows\system32>cd C:\Program _InternalSystems_SSLCheck_Inputs\bin
C:\Program Files\SplunkUniversalForwarder\etc\apps\SH_InternalSystems_SSLCheck_Inputs\bin>C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy RemoteSigned -File .\ssl_check.ps1 www.acompany.com 443
ssl_Issuer=VeriSign Class 3 Extended Validation SSL CA
ssl_ValidTo=8-13-2015 11:59:59 PM ssl_ValidFrom=8-12-2013 12:00:00 AM
C:\Program Files\SplunkUniversalForwarder\etc\apps\SH_InternalSystems_SSLCheck_Inputs\bin>C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy RemoteSigned -File .\ssl_check.ps1 www.acompetitor.com 443
ssl_Issuer=VeriSign Class 3 Secure Server CA - G3
ssl_ValidTo=6-7-2014 11:59:59 PM ssl_ValidFrom=6-6-2013 12:00:00 AM
Here is my props.conf, where did I go wrong? Where ssl_check is the name of the soucetype.
MUST_BREAK_AFTER = ^END$
SHOULD_LINEMERGE = true
Is your input coming in from a universal forwarder? If I'm not wrong, you have to put the props.conf somewhere else (e.g. on the heavy forwarder or the indexer) for its rules to work since universal forwarders have limited props.conf capability.
Another thing you can try is to specify the LINE_BREAKER in the props.conf
Are you seeing any errors in splunkd.log?