Re: Why is the text Log Broken into Multiple Event...

bteele · ‎01-29-2018

We have Powershell logs being written to text files along with a Windows path. We have a Splunk app monitoring that location for data. Splunk is ingesting the data from the files, but the data is being broken into numerous events. For small text files, it might be 2 or 3 events in Splunk for one file. For larger files, it can be upwards of 7 events.

Does anyone know why Splunk is ingesting the data in pieces? We'd prefer to have all of the data from one file in a single event.

App inputs config:

[monitor://C:\Windows\Logs\Powershell]
index = winpowershell
disabled = 0

Example Text Content:

#line of asterisks###################
Windows PowerShell transcript start
Start time: 20180129104808
Username: blah\blah
RunAs User: blah\blah
Machine: nameblah (OS version blah)
Host Application: C:\Windows\system32\longscriptblah
Process ID: number
PSVersion: number
PSEdition: thing
PSCompatibleVersions: numbers
BuildVersion: number
CLRVersion: number
WSManStackVersion: number
PSRemotingProtocolVersion: number
SerializationVersion: number
#line of asterisks###################
PS>& 'path'
PS51
PS>$global:?
True
#line of asterisks###################
Windows PowerShell transcript end
End time: 20180129104808
#line of asterisks###################

Example Splunk Events:

Event 1: 
#line of asterisks###################
Windows PowerShell transcript start

Event 2:

Start time: 20180129104808
Username: blah\blah
RunAs User: blah\blah
Machine: nameblah (OS version blah)
Host Application: C:\Windows\system32\longscriptblah
Process ID: number
PSVersion: number
PSEdition: thing
PSCompatibleVersions: numbers
BuildVersion: number
CLRVersion: number
WSManStackVersion: number
PSRemotingProtocolVersion: number
SerializationVersion: number
#line of asterisks###################
PS>& 'path'
PS51
PS>$global:?
True
#line of asterisks###################
Windows PowerShell transcript end

Event 3:

End time: 20180129104808
#line of asterisks###################

vincenteous · ‎01-29-2018

Hi bteele,

I think you can use the trick in the link here to fulfill your requirement.
Basically, you have to use props.conf file in your indexer to merge the incoming events from your powershell sourcetype and set up line breaker to a non-existent word/character.

Hope this helps.

davpx · ‎01-29-2018

You will want to configure proper line breaking on this input by specifying the following parameters for this in props.conf on your indexer. For this file it should look something like...

[source::C:\Windows\Logs\Powershell]
SHOULD_LINEMERGE = false
LINE_BREAKER = (End time:\s+\d+)([\r\n]+)
TIME_FORMAT = %Y%m%d%H%M%S
TIME_PREFIX = ^Start Time:
MAX_TIMESTAMP_LOOKAHEAD = 14

bteele · ‎02-14-2018

Thanks. I updated the indexer props file with this, but it's still breaking the text up into different events. I haven't had much time to troubleshoot it further, but wanted to thank you for your help so far.

Any idea where I should start troubleshooting?

richgalloway · ‎01-29-2018

What are the props.conf settings for the souretype?
Depending on how frequently the file is updated, you may want to set time_before_close to a value greater than 3 in inputs.conf.

---
If this reply helps you, Karma would be appreciated.

Why is the text Log Broken into Multiple Events?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk