All,

I have scripted input from PowerShell coming in nicely. The script can generate 1-100 possible results which are formatted like so

BEGIN
var=value
var1=value
END

So it pretty clean. But I can end up with near 100 of those blocks. These need to be broken up into seperate events in Splunk. I THINK that is done with Props.conf, I don't honestly use Splunk enough to know for sure.

So what would my props conf look like? Can someone point me to a working example of breaking up a scripted input?

Here is an example of the logs coming into splunk and the props.conf file I created

C:\Windows\system32>set SplunkApp=SH_InternalSystems_SSLCheck_Inputs
C:\Windows\system32>cd C:\Program _InternalSystems_SSLCheck_Inputs\bin
C:\Program Files\SplunkUniversalForwarder\etc\apps\SH_InternalSystems_SSLCheck_Inputs\bin>C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy RemoteSigned -File .\ssl_check.ps1 www.acompany.com 443
BEGIN
ssl_Target=www.acompany.com
ssl_Issuer=VeriSign Class 3 Extended Validation SSL CA
ssl_Port=443
ssl_ValidTo=8-13-2015 11:59:59 PM ssl_ValidFrom=8-12-2013 12:00:00 AM
END
C:\Program Files\SplunkUniversalForwarder\etc\apps\SH_InternalSystems_SSLCheck_Inputs\bin>C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy RemoteSigned -File .\ssl_check.ps1 www.acompetitor.com 443
BEGIN
ssl_Target=www.acompetitor.com
ssl_Issuer=VeriSign Class 3 Secure Server CA - G3
ssl_Port=443
ssl_ValidTo=6-7-2014 11:59:59 PM ssl_ValidFrom=6-6-2013 12:00:00 AM
END

Here is my props.conf, where did I go wrong? Where ssl_check is the name of the soucetype.

[ssl_check]
MUST_BREAK_AFTER = ^END$
SHOULD_LINEMERGE = true