I have been experimenting with indexing Nessus plugins. On my laptop where I have a test Splunk instance and scanner, I was able to successfully get Splunk to treat each plugin file as a single event. This seemed to work because every file starts with a # and comment:
[nessus_plugins]
TRUNCATE = 0
SHOULD_LINEMERGE = true
MUST\_NOT\_BREAK\_AFTER = (#)
In our production environment, Nessus doesn't run on the Splunk server. I installed a Splunk forwarder on the Nessus box and used the same inputs.conf file from my laptop. I put the transforms.conf and props.conf on the Splunk server.
I noticed that a number of the plugins were being split up into multiple events. Some were multiple single line events, some events were chunks of 10-30 lines each. There didn't seem to be any obvious reason why Splunk was choosing to break the lines where it did.
I dropped the index, deleted the fishbucket on the Nessus box, and copied the props.conf file to the Nessus server. Now each config file is being treated as a single event.
If an input has some kind of line breaking logic to it, does that mean that the props.conf file must exist on the Splunk instance that manages the input or can it just run on the central indexer?
Thx.
Craig
Try using
[nessus_plugins]
BREAK_ONLY_BEFORE = ^#
Line breaking takes part in the parsing phase, which would be either on the Indexer, if you have a Universal or Lightweight Forwarder, or on a Heavy Forwarder if that is what you use.
Please see;
http://docs.splunk.com/Documentation/Splunk/4.3/Admin/Configurationparametersandthedatapipeline
http://docs.splunk.com/Documentation/Splunk/4.3/Deploy/Datapipeline
Hope this helps,
Kristian
Assuming you are using a Universal Forwarder or Light Forwarder, then there is no parsing done on the forwarder. In fact the forwarder has no concept of events and is simply sending chunks of data to the indexer (along with some basic metadata like host, source and source type).
The best source of info I know of to explain where you need to put the configurations files (i.e. on the forwarder, indexer, search head) is this link http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F
In your case the forwarder will probably only need an inputs.conf with the "sourcetype=nessus_plugins" under the monitor.
On the indexer you are better off setting the LINE_BREAKER parameter to something that will never match. This is because Line Breaking happens before Line merging, so there is a performance gain in using the line breaking before having to use the more expensive line merging RE engine.
Assuming you have set the source-type to "nessus_plugins" on the forwarder, if you set the following in props.conf on the indexer it should work fine:
[nessus_plugins]
TRUNCATE = 0
LINE_BREAKER = (?!)
Yes if you are using a heavy forwarder then the forwarder does all of the "index-time" parsing and sends the cooked events to the Splunk Indexer which simply indexes them. In that scenario you would indeed need to put the props.conf listed above on the heavy forwarder. The Indexer (or search head if you have a separate search head) would only need a props.conf for "search-time" configuration like field extractions.
The props.conf config you listed is what I was originally using and didn't work once the nessus server wasn't indexing any data. Maybe Kristian below has highlighted the issue -- heavy forwarders (which it currently is) do some parsing?