Hopefully this is just a stupid regex error:
I'm using SplunkLightForwarder on AIX to send a few .sh_history logs to an indexer on Windows. Unfortunately ksh uses nulls as deliminators between commands--and it sometimes throws an extra null in for no apparent reason. This makes the Splunk events look something like this:
Event 1
cd /etc
\x00\x00ls
Event 2
mkdir test
\x00cd test
In other words, multiple events are incorrectly merged, and nulls are sprinkled throughout the logs. I spent a good deal of time trying to solve this (line merge/break settings, transforms, etc.). I ended up with the following in props.conf on my indexer:
[sourcetype]
LINE_BREAKER=(\\x00+)
This works beautifully, except when I exit the shell after testing this out, what shows up in Splunk?
eit
I can't figure out how in the world my regex is matching the x in exit. I later changed it to
LINE_BREAKER=((?:\\x00)+)
but it still eats the first 'x' in every event (axbxcx becomes abxcx). I've verified that there are no nulls adjacent to the x in the source.
Thanks in advance for your help!
Example data, zipped: http://www.mediafire.com/file/wwckoeo36v8p0v6/ksh-history-example.zip
$ tr "\000" "@" < ksh-history-example
mkdir -p test1/test2/test3
@cd test1
@ls
@cd test2
@ls
@cd test3
@ls
@cd ..
@@cd ..
@@ls
@cd ..
@@pwd
@@
... View more