Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you edit props.conf to correctly parse data from a PowerShell script?

ckeller2791
Explorer
‎01-31-2019 08:35 AM

I have a powershell script which feeds data into Splunk via a UDP port. The output of the script is as follows:

AbatInstanceID=32107862
AbatBatchID=32107825
AbatPlanName=ABM - Partner Remittance Loader -ASOBilling
AbatJobName=Execute Java partnerRemittanceLoader
AbatJobPath=/HXSPRD01/Promotable Objects/Plans/Business Processes/ABM/ABM - Partner Remittance Loader -ASOBilling
AbatStatus=Successful
AbatQueue=ExecutionQ1 HXSPRD01
AbatStartTime=01/31/2019 11:00:10
AbatEndTime=01/31/2019 11:00:36
AbatElapsedTime=0:0:0:23
AbatLogFile=\\CO1-BAXPRD01\ASCI_ABATLOG\CO1BASPRD01\ExecutionQ1 HXSPRD01\Execute Java partnerRemittanceLoader_0032107862-31Jan2019-160001_001.log

When the data is ingested into Splunk, it treats that input as two separate events splitting on the line where AbatStartTime and AbatEndTime are located due to there being two different date/time stamps. I am having trouble nailing down the correct regex syntax for parsing AbatStartTime as the official timestamp for the event. I have the powershell script output a double carriage return to separate the event. My sourcetype config is as follows

CHARSET = ASCII
BREAK_ONLY_BERFORE = ([\r\n\r\n]+)
LINE_BREAK = ([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD = 150
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_PREFIX = ^AbatStartTime=\s
TZ = America/New_York
category = Custom
pulldown_type = true

Any assistance would be appreciated.

0 Karma
Reply

ckeller2791
Explorer
‎02-01-2019 06:50 AM

Thank you both for you advise, I did a little tweaking and the final setting that got it working were

[activebatch]
BREAK_ONLY_BEFORE = AbatInstanceID
SHOULD_LINEMERGE = true
CHARSET = ASCII
DATETIME_CONFIG =
LINE_BREAKER = AbatInstanceID
NO_BINARY_CHECK = true
TIME_FORMAT = %m/%d/%Y %H:%M:%S
TIME_PREFIX = AbatStartTime=
TZ = America/New_York
category = Custom
pulldown_type = true

0 Karma
Reply

woodcock
Esteemed Legend
‎01-31-2019 04:11 PM

You almost certainly have too many settings that are likely to cause problems. Try this ONLY:

SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n\r\n]+)
NO_BINARY_CHECK = true
TIME_PREFIX = [\r\n]+AbatStartTime\s*=\s*
TIME_FORMAT = %m/%d/%Y %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 19
TZ = America/New_York
category = Custom
0 Karma
Reply

mayurr98
Super Champion
‎01-31-2019 10:03 AM

alt text

I think your sourcetype should be like this : 

[ sourcetypename]
SHOULD_LINEMERGE=true
CHARSET=ASCII
BREAK_ONLY_BEFORE=AbatInstanceID
TIME_PREFIX=AbatStartTime=
TIME_FORMAT=%m/%d/%Y %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD=150
Preview file
1 KB
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...