Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Tips on how to create props.conf on Splunk cloud

splunkisaurus
New Member
3 weeks ago

Greetings,

    I am trying to create a little TA to run a command to collect status for the nessus agent. I have it to the point of running the command and sending data in but the line breaking is not working correctly. I tried using the Add Data wizard but it seems to ignore the Should Line Merge = true, each line is an event. I'm new to cloud and maybe I don't know the best way to build a TA, what is the best way to do this?

   My primary problem is how do I take the following output from the script and get it loaded into one event?

Running: Yes
Safe Mode: No
Plugins loaded: Yes
Linked to: nm1.tn.gov:8834
Link status: Connected to lorem.ipsum.gov:8834
Last successful connection with controller: 4 secs ago
Proxy: None
Plugin set: 202512062114
Scanning: No (0 jobs pending, 0 smart scan configs)
Scans run today: 0 of 10 limit
Last scanned: 1765177066
Last connect: 1765301522
Last connection attempt: 1765301522

Labels (2)
Labels
0 Karma
Reply

PrewinThomas
Motivator
3 weeks ago

@splunkisaurus 

Why dont you output JSON from your script so Splunk ingests clean structured events.

You can also use props.conf if you need to split the events. In that case, you can rely on LINE_BREAKER alone and omit both SHOULD_LINEMERGE and BREAK_ONLY_BEFORE

For eg:

[nessus_agent_status]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = ^Running:
LINE_BREAKER = ([\r\n]+)Running:
TRUNCATE = 0
DATETIME_CONFIG = CURRENT


Regards,
Prewin
🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
3 weeks ago

Something like the following

[sourcetype]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]{2})
TIME_FORMAT=%s
TIME_PREFIX=Last connection attempt:\s*
MAX_TIMESTAMP_LOOKAHEAD=11

with the assumption that you have blocks of data where the event break is a double linefeed/CR between events. See LINE_BREAKER. Timestamp recognition is done with TIME_PREFIX, so adjust for the timestamp you want.

If this is just a single event from a running script, then you can do this instead

[your_sourcetype]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]Running)
TIME_PREFIX=Last connection attempt:\s*

which will treat the event as starting with Running, it will start a new event when it finds Running and as this occurs only once, it will put it all into the single event

Variations on a theme here are setting LINE_BREAKER to something that will never match, e.g.

([\r\n]+end_of_file)

The best way to write a TA is to create yourself a basic simple app and include the props.conf for that definition and upload it as your own app.

 

Reply

ddrillic
Ultra Champion
Wednesday

This one makes perfect sense to me - 

[your_sourcetype]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]Running)
TIME_PREFIX=Last connection attempt:\s*
0 Karma
Reply

tscroggins
Influencer
yesterday

This will eat/discard "Running," though:

LINE_BREAKER = ([\r\n]Running)

and the event will be:

: Yes
Safe Mode: No
Plugins loaded: Yes
...

In my own work with Nessus Agent, with or without Splunk, I take an approach similar to @PrewinThomas's suggestion and convert, e.g., the output of 'nessuscli agent status --local --show-uuid' to a PowerShell object, a JSON object, or whatever format makes sense for the consumer. If I were doing this today in Splunk, I would use JSON and an accelerated data model (not INDEXED_EXTRACTIONS) or field/value transformations like field_name=field_value that work with tstats and PREFIX().

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...