Getting Data In

Script Input broken into events

daniel333
Builder

All,

I have scripted input from PowerShell coming in nicely. The script can generate 1-100 possible results which are formatted like so

BEGIN
var=value
var1=value
END

So it pretty clean. But I can end up with near 100 of those blocks. These need to be broken up into seperate events in Splunk. I THINK that is done with Props.conf, I don't honestly use Splunk enough to know for sure.

So what would my props conf look like? Can someone point me to a working example of breaking up a scripted input?

Here is an example of the logs coming into splunk and the props.conf file I created

C:\Windows\system32>set SplunkApp=SH_InternalSystems_SSLCheck_Inputs
C:\Windows\system32>cd C:\Program _InternalSystems_SSLCheck_Inputs\bin
C:\Program Files\SplunkUniversalForwarder\etc\apps\SH_InternalSystems_SSLCheck_Inputs\bin>C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy RemoteSigned -File .\ssl_check.ps1 www.acompany.com 443
BEGIN
ssl_Target=www.acompany.com
ssl_Issuer=VeriSign Class 3 Extended Validation SSL CA
ssl_Port=443
ssl_ValidTo=8-13-2015 11:59:59 PM ssl_ValidFrom=8-12-2013 12:00:00 AM
END
C:\Program Files\SplunkUniversalForwarder\etc\apps\SH_InternalSystems_SSLCheck_Inputs\bin>C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy RemoteSigned -File .\ssl_check.ps1 www.acompetitor.com 443
BEGIN
ssl_Target=www.acompetitor.com
ssl_Issuer=VeriSign Class 3 Secure Server CA - G3
ssl_Port=443
ssl_ValidTo=6-7-2014 11:59:59 PM ssl_ValidFrom=6-6-2013 12:00:00 AM
END

Here is my props.conf, where did I go wrong? Where ssl_check is the name of the soucetype.

[ssl_check]
MUST_BREAK_AFTER = ^END$
SHOULD_LINEMERGE = true

Tags (2)

jonahtang
Explorer

Is your input coming in from a universal forwarder? If I'm not wrong, you have to put the props.conf somewhere else (e.g. on the heavy forwarder or the indexer) for its rules to work since universal forwarders have limited props.conf capability.

Another thing you can try is to specify the LINE_BREAKER in the props.conf

lukejadamec
Super Champion

Are you seeing any errors in splunkd.log?

0 Karma
Get Updates on the Splunk Community!

App Building 101 - Build Your First App!

WATCH RECORDING NOW   Tech Talk: App Dev Edition Splunk has tons of out-of-the-box functionality, and you’ve ...

Introducing support for Amazon Data Firehose in Splunk Edge Processor

We’re excited to announce a powerful update to Splunk Data Management with added support for Amazon Data ...

The Observability Round-Up: September 2024

What’s up Splunk Community! Welcome to the latest edition of the Observability Round-Up, a monthly series in ...