Re: Why is the text Log Broken into Multiple Event...

bteele · ‎01-29-2018

We have Powershell logs being written to text files along with a Windows path. We have a Splunk app monitoring that location for data. Splunk is ingesting the data from the files, but the data is being broken into numerous events. For small text files, it might be 2 or 3 events in Splunk for one file. For larger files, it can be upwards of 7 events.

Does anyone know why Splunk is ingesting the data in pieces? We'd prefer to have all of the data from one file in a single event.

App inputs config:

[monitor://C:\Windows\Logs\Powershell]
index = winpowershell
disabled = 0

Example Text Content:

#line of asterisks###################
Windows PowerShell transcript start
Start time: 20180129104808
Username: blah\blah
RunAs User: blah\blah
Machine: nameblah (OS version blah)
Host Application: C:\Windows\system32\longscriptblah
Process ID: number
PSVersion: number
PSEdition: thing
PSCompatibleVersions: numbers
BuildVersion: number
CLRVersion: number
WSManStackVersion: number
PSRemotingProtocolVersion: number
SerializationVersion: number
#line of asterisks###################
PS>& 'path'
PS51
PS>$global:?
True
#line of asterisks###################
Windows PowerShell transcript end
End time: 20180129104808
#line of asterisks###################

Example Splunk Events:

Event 1: 
#line of asterisks###################
Windows PowerShell transcript start

Event 2:

Start time: 20180129104808
Username: blah\blah
RunAs User: blah\blah
Machine: nameblah (OS version blah)
Host Application: C:\Windows\system32\longscriptblah
Process ID: number
PSVersion: number
PSEdition: thing
PSCompatibleVersions: numbers
BuildVersion: number
CLRVersion: number
WSManStackVersion: number
PSRemotingProtocolVersion: number
SerializationVersion: number
#line of asterisks###################
PS>& 'path'
PS51
PS>$global:?
True
#line of asterisks###################
Windows PowerShell transcript end

Event 3:

End time: 20180129104808
#line of asterisks###################

vincenteous · ‎01-29-2018

Hi bteele,

I think you can use the trick in the link here to fulfill your requirement.
Basically, you have to use props.conf file in your indexer to merge the incoming events from your powershell sourcetype and set up line breaker to a non-existent word/character.

Hope this helps.

davpx · ‎01-29-2018

You will want to configure proper line breaking on this input by specifying the following parameters for this in props.conf on your indexer. For this file it should look something like...

[source::C:\Windows\Logs\Powershell]
SHOULD_LINEMERGE = false
LINE_BREAKER = (End time:\s+\d+)([\r\n]+)
TIME_FORMAT = %Y%m%d%H%M%S
TIME_PREFIX = ^Start Time:
MAX_TIMESTAMP_LOOKAHEAD = 14

bteele · ‎02-14-2018

Thanks. I updated the indexer props file with this, but it's still breaking the text up into different events. I haven't had much time to troubleshoot it further, but wanted to thank you for your help so far.

Any idea where I should start troubleshooting?

richgalloway · ‎01-29-2018

What are the props.conf settings for the souretype?
Depending on how frequently the file is updated, you may want to set time_before_close to a value greater than 3 in inputs.conf.

---
If this reply helps you, Karma would be appreciated.

Why is the text Log Broken into Multiple Events?

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Are you a member of the Splunk Community?

Why is the text Log Broken into Multiple Events?

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions