Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Tips on how to create props.conf on Splunk cloud

splunkisaurus
New Member
Tuesday

Greetings,

    I am trying to create a little TA to run a command to collect status for the nessus agent. I have it to the point of running the command and sending data in but the line breaking is not working correctly. I tried using the Add Data wizard but it seems to ignore the Should Line Merge = true, each line is an event. I'm new to cloud and maybe I don't know the best way to build a TA, what is the best way to do this?

   My primary problem is how do I take the following output from the script and get it loaded into one event?

Running: Yes
Safe Mode: No
Plugins loaded: Yes
Linked to: nm1.tn.gov:8834
Link status: Connected to lorem.ipsum.gov:8834
Last successful connection with controller: 4 secs ago
Proxy: None
Plugin set: 202512062114
Scanning: No (0 jobs pending, 0 smart scan configs)
Scans run today: 0 of 10 limit
Last scanned: 1765177066
Last connect: 1765301522
Last connection attempt: 1765301522

Labels (2)
Labels
0 Karma
Reply

PrewinThomas
Motivator
Wednesday

@splunkisaurus 

Why dont you output JSON from your script so Splunk ingests clean structured events.

You can also use props.conf if you need to split the events. In that case, you can rely on LINE_BREAKER alone and omit both SHOULD_LINEMERGE and BREAK_ONLY_BEFORE

For eg:

[nessus_agent_status]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = ^Running:
LINE_BREAKER = ([\r\n]+)Running:
TRUNCATE = 0
DATETIME_CONFIG = CURRENT


Regards,
Prewin
🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
Tuesday

Something like the following

[sourcetype]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]{2})
TIME_FORMAT=%s
TIME_PREFIX=Last connection attempt:\s*
MAX_TIMESTAMP_LOOKAHEAD=11

with the assumption that you have blocks of data where the event break is a double linefeed/CR between events. See LINE_BREAKER. Timestamp recognition is done with TIME_PREFIX, so adjust for the timestamp you want.

If this is just a single event from a running script, then you can do this instead

[your_sourcetype]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]Running)
TIME_PREFIX=Last connection attempt:\s*

which will treat the event as starting with Running, it will start a new event when it finds Running and as this occurs only once, it will put it all into the single event

Variations on a theme here are setting LINE_BREAKER to something that will never match, e.g.

([\r\n]+end_of_file)

The best way to write a TA is to create yourself a basic simple app and include the props.conf for that definition and upload it as your own app.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...